Risk Management and Compliance » Web 2.0

Whitehouse has released a cybersecurity plan

admin — Fri, 13 May 2011 19:26:14 +0000

Image via Wikipedia

The Whitehouse has release a cybersecurity plan. “White House Cybersecurity Plan: What You Need To Know” (http://www.huffingtonpost.com/2011/05/12/white-houses-cybersecurity-plan_n_861382.html). Perhaps the administration is finally waking up to the need.

According to the press release they say “Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority. When the President released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” The Administration has since taken significant steps to better protect America against cyber threats. As part of that work, it has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated.”

There are a couple of key elements to the proposed legislation:

Protecting the American People

National Data Breach Reporting. Proposal to help businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements. (I personally do not think we will have 1 national privacy policy anytime soon. States rights!!)
Penalties for Computer Criminals. Clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure

Protecting our Nation’s Critical Infrastructure

Voluntary Government Assistance to Industry, States, and Local Government. Proposal to enable DHS to quickly help a private-sector company, state, or local government in a breach
Voluntary Information Sharing with Industry, States, and Local Government. Proposal to help entities share information. ( Sure ATT will share information with Sprint and Bank of America will share information with the government)
Critical Infrastructure Cybersecurity Plans. Proposal to enable transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.(Thats way to vague)

Protecting Federal Government Computers and Networks

Management. Update the Federal Information Security Management Act (FISMA) and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks. (They definitely need this now!).
Personnel. Recruit and retain highly-qualified cybersecurity professionals. (With reduced funding for education, we will probably have to recruit from China)
Intrusion Prevention Systems. Implement better IDS systems. (Imagine having to read all the log files from all the government agencies, need to outsource this effort)
Data Centers. Embrace Cloud Computing. (if you use cloud computing, you will rely on Facebook for your security requirements?)

New Framework to Protect Individuals’ Privacy and Civil Liberties

The Administration does propose protecting civil liberties. Can the plan be any worse that everyone giving away all their information anyway on Facebook, Twitter, LinkedIn etc?

White House Releases Cybersecurity Plans (informationweek.com)

Social Media Warfare: Are you attacking or defending?

admin — Tue, 07 Sep 2010 01:33:06 +0000

: Image via CrunchBase

Is there such a thing as Social Media Warfare? We have had cyber warfare going on for years now. So it should be an obvious “YES” that Social Media warfare exists. But is that true? To get to a full blown war opposing sides go through an escalation process. Where are we in this process? From a pure cyber warfare perspective, we are in world war three, many opposing sides, lots of new and improved weapons, completely escalating attacks and no end in sight. Companies are used to conducting vulnerability management and risk assessment. This new war will require new tactics and defense strategies.

I think we have seen the first skirmishes of the war. It started with all the spammers morphing their tools into Facebook and Twitter hacking. Then moving into phishing. Then into negative attacks on your reputation by disgruntled customers and competitors. So what is the progression of this coming war? Is there a similarity to how “normal” cyber warfare started? But why is this war inevitable?

The attack vectors in the Social Media War are probably categorized into personal use and corporate use. If these are the assets that needs to be protected, we can then figure out how the assets will be attacked, how will the enemies do reconnaissance, what alliances will be formed and what should be the defense strategies and weapons for defense.

The progression of of this war will follow different patterns and there is probably no end in sight.

Action	Personal	Corporate
Skirmish	Home users receiving spam and phishing attacks and scams	Corporate users seeing more phishing attacks, attackers going through Linkedin profiles
Protest Actions	Users might complain to attorney generals, or write nasty messages about Microsoft Adobe or Apple security weaknesses	The IT department is inundated with help desk calls. Companies have the ability to complain to ISPs or event countries about originating attacks.
Negotiations	There really isn’t anyone to negotiate with. Writing on your Facebook wall will not do a darn thing.	Companies definitely do not want to negotiate. But will see blackmail more and more.
Failed Negotiations	The home user is bascially screwed anyway.	Succumbing to blackmail will only lead down a bad path.
Declaration of War	This is a defacto state with the home user. They are at war whether they know it or not.	Companies have to take a proactive approach to security versus reactive. Anticipate the next types of attacks and have a budget to address it.
Launch Attacks and Defend	More defend, get your anti-spyware, antivirus, personal firewalls and encryption up to speed. But after that, understand how attackers use Social Media.	Spend massive amounts of money on understanding how so fight in the Social media landscape, security hardware and software are not enough.
Allies Join the War	The home user can only rely on the Social media companies for basic security.	Their will be more collaboration between companies and governments. Perhaps together they have a fighting chance. Regulations are also going to force changes.
Years of Conflict – Never Ending	Whats the next thing after Facebook and Twitter? Whatever it is will have its own security challenges. But by that time the home user will probably have given out every bit of personal information on all the Social Media venues anyway.	A company can only rely on the right process to secure their social media usage. As technologies change and new sites go live, a good process and social media security policy is all you can rely on.
Winner	The ISP, they get to sell bandwidth.	The VCs who fund companies like Facebook and Twitter.

I will get into more tactics in the coming war in future posts.

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Public gives approval for cyber warfare (v3.co.uk)
Social Media Wars – The Google vs. Facebook Employment War Gets Messy (GALLERY) (trendhunter.com)

What is Social Media INSecurity?

admin — Wed, 24 Mar 2010 17:30:54 +0000

: Image via CrunchBase

The trends in Social Media are heading towards more sharing of information. But sharing of information has moved beyond your circle of friends and family. Social media is becoming less social and more… well more corporate. Or more like many people shouting in a bar, you are all in close proximity, but you can’t distinguish the individual conversations, you can’t make out who people really are or who is a potential quality relationship.

How many random friend requests do you get now from Facebook, Friendster, MySpace, LinkedIn, etc. Twitter is a bit different obviously, but that’s a whole other story. Now you are also getting bombarded with corporate Fanpages, groups and other means of luring you to their sites, brands and social following. This is the erosion of your true social circle.Social Media Security is really more about Insecurity. The distribution of your information across multiple platforms used to be in a restricted circle. This can be true data loss. Now its pretty much everywhere. You can find a person’s LinkedIn profile with a generic Google search. This should be restricted to the LinkedIn environment, but it’s not.With the advent of location based services, we will see physical insecurity based on social media usage. A recently popular site Please Rob Me http://pleaserobme.com has already begun taking advantage of the Twitter location feature. Imagine what can be done by a stalker following someone on twitter or a deranged Ex-boyfriend following you based on the events you are attending on Facebook? It’s easy to see how you can give away all your personal information without event thinking of it. Trends towards making information available will lead to Insecurity. Insecurity will lead to data breaches and compromise. Compromise will lead to lots of crying, money lost, probably lawsuits and other painful results. How do we get past this Social Media Insecurity?

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

The Seven Deadly Sins of Social Media (markevanstech.com)
The Age of Social Networks (briansolis.com)
Facebook Roundup: FTC, Design Changes, Nestlé, URLs and More (insidefacebook.com)
Cloud Computing Elasticity Drives Social Media (web2.sys-con.com)
Use Google Analytics to Track Inbound Links from Social Media Profiles (thecustomercollective.com)
13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
Social Media Engagement Starts with Monitoring (bettercloser.com)

Ponemon Institute Cyber megatrends – Some Additions Needed

admin — Sun, 29 Nov 2009 00:17:38 +0000

Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First, I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happen versus what is happening. Incremental change may not be the trend. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same Network Security Assessment requirements in many cases.

Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway.

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009