Home 2012

CSPF Announces Second Annual Women In Security Lecture Series

The Canadian Security Partners’ Forum (CSPF) is preparing
their second Women in Security Lecture Series to be held Feb 7, 2013. Building
on the momentum of last year’s sold-out-event, CSPF will be hosting the event
at the Hampton Inn, Ottawa, ON. With tickets going on sale just a week ago and nearly
150 tickets already being sold, it looks like they will have another sell out on their hands.  
The main premise of CSPF is to build strong networks and
the Lecture Series is no different. CSPF has partnered with firmly established
and recognized associations including Canadian Women in Technology (CanWIT),
ASIS Women in Security Council, Women in Security Ontario (WiSO), and Key Women
in Security (KeyWIS).
The Lecture Series is dedicated to women in security
mainly as a tribute to the associations that are part of the Series, but the
event is open to both women and men. Last year 45% of attendees were men.

The
CSPF has been mapping the needs of the cybersecurity and security communities
to build out a comprehensive agenda for the Lecture Series. 
Key topics being
covered at the event include:
  • Cybersecurity
  • Security Risk Management
  • CSO/CISO Training & Education
  • Security & Academia
  • The relationship between security & intelligence
  • Security as a driver of shareholder value
  • Summarizing
    relationship between national security & corporate security

The panel was
specifically selected to represent depth of knowledge as well as breadth of
experience. They will bring their extensive knowledge and compelling experience
(National Security Council, US Department of Energy, Central Intelligence
Agency) to make the discussions both informative and practical.

The list of
elite presenters includes:
LISA GORDON-HAGERTY, MPH 
    – Founder, CEO, LEG Inc. 
    – Named to Fortune Magazine’s Most Powerful Women
in 2004, 2005 & 2006 
    – Served on the White House National Security
Council (NSC) as Director for Combating Terrorism 
    – Former Director, Office of Emergency Response, US
Department of Energy 
    – Former Acting Director, Office of Weapons Surety,
responsible for the safety and security of the American  
      nuclear weapons program 
DJENANA CAMPARA 
    – President and CEO of KDM Analytics; 
    – Author of System Assurance: Beyond Detecting
Vulnerabilities (2011) 
    – 25+ years of experience and leadership in
software and security engineering 
    – Board Member for the Object Management Group
(OMG), an international standard body 
    – Co-Chair, OMG Architecture-Driven Modernization
Task Force and System Assurance Task Force 
    – Member of the SAS Technical Advisory Panel of
National Institute for Standards and Technology (NIST) 
For more
information and to register visit: http://cspfwomeninsecurity2013.eventbrite.ca/

Enhanced by Zemanta

How to stay off the list of Top Breaches 2013

An example of theft. Someone took everything e...
An example of theft. Someone took everything except for the front wheel. (Photo credit: Wikipedia)

As the saying goes there is always something to be learned from every success
and failure, what we can take away from the top breaches of 2012 is a
list of what to do to avoid similar breaches and ensure you’re not on the list
for 2013.
Below is a list of what we felt were the most significant:

  1. Segment and divide your networks. Don’t
    have the prisoners on the same network as the guards. Related breach: New
    Hampshire Department of Corrections prisoners accessed guard’s database.
  2. When you have a database make sure you watch who is accessing, what they
    are accessing and from where they are accessing. Related breach: New York State Electric & Gas
    Co. had 1.8 million files exposed due to unauthorized access by contractor.  
  3. Create alerts for large amounts of data being moved. Related breach:
    South Carolina Health and Human Services had employee steal the records of about
    228,000 people by emailing it to himself. 
  4. Use a trusted, private corporate courier for sensitive data. Related breach: California Department of Social Services microfiche damaged after sent
    through U.S. Postal Service. 
  5. Limit access to and storage/transfer of large amounts of data and only
    to non-mobile devices. Related breach: NASA laptop stolen with thousands of
    employee’s personally identifiable information. 
  6. All reports that are to be made public should be vetted by senior or
    security staff for sign off ensuring the report doesn’t contain any sensitive
    information. Related breach: Wisconsin Department of Revenue staff members
    posts report with sensitive material on website with public access. 
  7. When making major changes with data storage include a security
    assessment: Does your new set up meet the standards of the old system? It
    should exceed the old not be a step back. Apply same security if not more to
    backup information as for primary source. Related breach: California Department
    of Child Support Services lost more than 800,000 sensitive records on backup
    tape when shipped by FedEx and files fell off truck. 
  8. Update employee awareness and training. Related breach: University of
    North Carolina-Charlotte exposed 350,000 personal data files “accidentally made
    available for three months.”  
  9. Sensitive data should be encrypted in case it is hacked. Related breach:
    Zappos had their network hacked but hackers couldn’t use information because it
    was encrypted. 
  10. Protect
    your network against SQL injection attack by working with best practices. Related breach: United States Navy & DHS website was hacked by Blind SQL injection
    attacks.

eSecurityPlanet offers a comprehensive article that outlines four methods to prevent a SQL
injection attack.  

  • Filter user data for context, such as email addresses should be filtered
    to allow only the characters allowed in email address
  • Use a web application firewall
  • Limit database privileges by context by creating multiple database user
    accounts
  • Use
    SQL variable binding with prepared statements or stored procedures

What are you adding to your check list?

Editorial comment: We’ve received feedback about point #10 not being relevant as it is a known fact and not a needed reminder. Excellent point, unfortunately that isn’t what we saw when we reviewed the lists of top breaches for 2012. On one list of top ten, two of the breaches were caused by SQL injection. 

Related articles

Enhanced by Zemanta

Best of Breaches 2012 – Did you make the list?

Nortel
Nortel (Photo credit: secretlondon123)

This is the time of year you see the ‘best of’ lists popping
up everywhere. Lists of top breaches are no exception. Two excellent sources that
review and offer some insight into their listed breaches include Tom’s IT Pro
and Network World. Both lists include breaches that achieved fame for the
extent of the damage or publicity.

One of the more significant breaches was the Nortel breach
that remained undetected for 10 years. The hackers secured passwords for seven
Nortel executives. This allowed the hackers access to view and steal “technical
papers, R&D data, emails, plans and other sensitive corporate intellectual
property and trade secrets.” Although the full extent of the damage has not been
fully disclosed, or possibly been understood by Nortel, the breach leaves several
questions about the security measures used. Were there no noticeable changes in
network behaviour?
The Las Vegas Strip World of Coca-Cola museum ...
Did the executives not change their password on a regular
basis in 10 years?
While reading these lists I’m left wondering how many more
breaches occurred but didn’t make the list because they were never disclosed to
the public. For example Bloomberg published a list of breaches that weren’t previously
made public such as Coca Cola and the British energy group BG Group Plc.
How do you keep yourself off the list of 2013 breaches?
In part two of this blog we’ll follow up with a look at what
we can learn from these experiences with a compilation of tips to add to your security
checklist. 

Enhanced by Zemanta

Increase Efficiency, Reduce Workload

Efficiency Medal
Efficiency Medal (Photo credit: Wikipedia)

As is often the case, if you want something done and done
well you find someone who is already busy to do it. Security executives are no
exception. They are recognized as competent, successful and fully loaded with
projects and responsibilities. Their list keeps growing with the expanding need
for more and more security steps, measures and processes with the ever-changing
threat landscape.
One recent study by specialty recruiters in the UK,
Randstad, found that most IT technicians and engineers
are working the equivalent of 7.5 day’s work during their typical work week.
They often are working on weekends to fit in the extra hours. They’re receiving
the same pay for doing the work of one and a half staff. The instability of the
economy is causing many to take on the extra work.
One of the best responses to
a maximized schedule is to find tools that will enhance the results while not
adding to the workload. One resource proven to be extremely helpful to
security executives is the Nemesis advanced malware protection service. It allows them to do a health check of their network security with minimal
time and energy commitment.
Nemesis was designed to make
life easier for security executives. It takes less than 20 minutes to
configure.

The dashboard offers a quick
view of the number of sites that are used for Command & Control, phishing, fraud, malware distribution and a number of other malicious categories. Each one of these communications is blocked so your data and
system are safe and can’t be used for malicious purposes.
Nemesis also:
  • Protects all
    internet enabled devices, regardless of operating system
  • Prevents malware
    from entering a network
  • Identifies existing
    infiltrated systems on your network
  • Alerts and reports
    on all malicious activity across your network
  • Disables
    communication to Command & Control channels rendering the malware harmless
  • Delivers
    easy to read data in dashboard and report format so remediation can begin

Wondering if Nemesis should be added to your security
team? We’ll help you assess if Nemesis is a good match.
Call us today for a free trial of Nemesis and let us help
you increase your network security without increasing your workload.
Click here to register for a trial or call us 1.877.331.6835 ext 2. 
Enhanced by Zemanta

CounterMeasure|2012

We
proudly sponsored CounterMeasure|2012 this year and found it lived up to all our
expectations.

The quality of the event was impressive, especially considering it was its
first year, and drew in attendees, presenters and vendors from across Canada
and the U.S. It was of course great to meet up with colleagues and old friends, but having a conference like this in Canada’s capital is not just important. It’s necessary.

Public Safety Minister Vic Toews says Canada is going to take cyber security seriously, with budget additions and action plans, but there is more to it than that, and alliances and cooperation have to take place outside governments as well. That’s where conferences like CounterMeasure come in, uniting the right minds in security to bring about wide-scale change. Sometimes this starts with the basics.

Some of the CounterMeasure presentations we attended and discussions we participated in were focused on the need for organizations to focus on security fundamentals such as IDS and network segmentation. Other conversations and talks were about the need for collaboration or the scope of the war waged between security professionals on both sides of the game. Some talks drilled down into the details of malware analysis and it was all received very well by the attending community.

There
were a good number of people to connect with over the two days. Good number as
in you weren’t lost in a sea of people but instead had the opportunity to meet
with everyone there. There was the time and space to have a meaningful conversation
and talk about new theories, analysis as well as current events that are making
the news.
CounterMeasure
put a good face on this call for change in security by addressing the current needs and
drawing a broad section of security focused executives, managers and technical
engineers to join in and expand the conversation.
We
look forward to sponsoring, participating and meeting with you at
CounterMeasure|2013. 

Enhanced by Zemanta

Cyber Security Made Easy – Part 5

EP goes mobile - check it out!
National
Cyber Security Awareness month is coming to a close. We’ve already touched on
best practices for email and Twitter direct message links, search engine
searches, WiFi, and passwords.  For our
send off of the month, we offer the following final tips: 
  1.       Update
    your antivirus and all other programs (Microsoft, Adobe, Java, etc.) when you
    receive update notifications. (Double check with the software directly that it
    requires an update as rogue pop ups can mislead you into downloading unwanted
    software.)
  2.       Use
    well formed passwords on your computer, laptop, smart phone, and tablet. Not
    only will this help you avoid being hacked by some cyber-criminal but it can
    also save you from family or friends tweeting or posting how much you love Rick
    Astley. (Don’t ask.)
  3.       Backup
    your data on a regular basis. This can be with an external hard drive or a
    cloud data storage plan. Don’t wait until it’s too late because we WILL say “I
    told you so.”
    4. Angry Birds Space - 082/366
    Angry Birds Space – 082/366 (Photo credit: Frikjan)
  4.    Be
    thoughtful when adding new apps; don’t add unnecessary apps to your phone.  Is it a known trusted source for an app?
    Don’t forget that apps even from trusted sources are used to collect data from
    your laptop, smart phone, and tablet. A recent article in New York Times’ discusses how this is legally still a grey area. Applications that seem so handy and innocent such as  Angry Birds or the one that turns your phone
    into a flashlight, are also collecting personal information, usually the user’s
    location and sex and the unique identification number of the smartphone. What
    is even more unsettling is that “in some cases, they cull information from
    contact lists and pictures from photo libraries.” So think twice before
    downloading that app.

Closing
our series so close to Halloween it seems fitting to mention a scary statistic:
In a recent survey by AT&T and the Polytechnic Institute of New York University, 83% of small businesses allow employees to use personal devices for
work. 
We hope we’ve contributed to your
awareness of security this all important month. Be sure to use what you’ve
learned here all year-round. Be safe out there. The Internet is a spooky place. Why not check out our complimentary Nemesis trial?  

Enhanced by Zemanta

Cyber Security Made Easy – Part 4

English: A Master padlock with "r00t"...The topic of creating great passwords has been visited many
times by many people, yet it remains relevant and important because common
passwords are still too common. As educators often feel the pain of knowledge
falling on deaf ears, we beat this horse once again in hopes that one or two
new pupils may take heed.
Make better passwords!
When creating your list of passwords one tip is to ensure
your password does not rank as one of the world’s most popular passwords such as “Jesus,” “Ninja” and “Qwerty.” 
You can also visit our previous blog that covers the basics
on making passwords more effective. Let’s say that your email password is
“whiskers”, the name of your no doubt lovable cat.  You can easily keep
the familiarity of the password while increasing its effectiveness as a
password.

Old password:  whiskersNew password:  I have loved Whiskers since
2004!

Easy to remember, and vastly more secure than
the original password.  If you can’t use spaces, simply remove them.

English: Sprinkles, chocolate syrup and whippe...
Whenever possible, use words and terms which
can’t be found in a dictionary.  This sounds harder than it is.  You
can use altered spelling, nicknames, and clues instead of the actual term.
Old password: I love icecream
New password: !love1c3cr3am
You can also visit trusted 
opinion leaders such as the Canadian site Get Cyber Safe that
highlights:
  • ·      Don’t stay logged into a site but login each
    time you visit the site
  • ·      Clear browsing history or cache after online
    banking and shopping
  • ·      Avoid using a single dictionary word

Or the American site Stop.Think.Connect. that includes:
  • ·     Keep a separate password for each account
  • ·     Make passwords long and strong including
    capital, lowercase, numbers and symbols
  • ·     Limit how and who has access to what you post by
    using privacy settings on websites and set to your level of comfort

Our next blog will cover a list of resources. 

Enhanced by Zemanta

Cyber Security Made Easy – Part 3

NEW YORK, NY - JULY 11: A free Wi-Fi hotspot ...
NEW YORK, NY – JULY 11: A free Wi-Fi hotspot beams broadband internet from atop a public phone booth on July 11, 2012 in Manhattan, New York City. New York City launched a pilot program Wednesday to provide free public Wi-Fi at public phone booths around the five boroughs. The first ten booths were lit up with Wi-Fi routers attached to the top of existing phone booths, with six booths in Manhattan, two in Brooklyn, and one in Queens. Additional locations, including ones in the Bronx and Staten Island, are to be added soon. (Image credit: Getty Images via @daylife)

With all the talk of cyber
security in the news it is common knowledge that the Internet is not a secure
channel for exchanging information.  Most
people keep this in mind with making their home network secure. Public WiFi
is another story. To see exactly how easy it is to be hacked using
public WiFi, watch the W5 interview. Part one looks at how
easy it is to view someone else’s laptop and part two looks at how easy it is
to access someone’s password for personal banking. 
It is advised when using
public WiFi to avoid logging into areas of the Internet where you may have
sensitive data, such as online banking. As a rule of thumb, when on public
WiFi, pretend everything you are doing is on a giant screen for everyone to
view and all passwords are visible. If you must get on the Internet, when no
familiar and secure network is available, try using your smart phone as a
wireless hotspot instead.
Note: In order to be able to
do this you need to have a data plan that is large enough to support this
option.
Here are the steps for an
iPhone 4G
Step 1: Go to Settings
Step 2: Select Personal
Hotspot
Step 3: Select how you want
to make the connection through Bluetooth, WiFi, or USB.
Step 4: Create password.
Typically it will be 8 characters and you should use best practices including
lower and capital case letters, numbers and symbols.
Step 5: Choose the newly created hotspot from your other
device and key in the password created in the previous step.
In our next installment of
this series we look at best practices for passwords. 

Related articles

Enhanced by Zemanta

Cyber Security Made Easy – Part 2

Image representing Google as depicted in Crunc...
Image via CrunchBase

There
is encouraging news on the horizon for those in the professional security
field. A recently published survey by NCSA and APWG confirms a shift in
attitude towards online security. Not only are people taking it seriously, but
they also view it as their personal responsibility and welcome the opportunity
to learn more. Below are a few key statistics from the survey.

  • 96
    percent of Americans feel a personal responsibility to be safer and more secure
    online.
  • 93
    percent believe their online actions can protect not only friends and family
    but also help to make the Web safer for everyone around the world.
  • 60
    percent believe that much of the online safety and security falls under their
    own personal control, and consistent with those feelings, 90 percent said they
    want to learn more about keeping safer on the Internet

Making
it easier to educate those 90 percent, here’s our overview on how to safely
search the Internet.

What
could possibly go wrong when searching online with a popular search engine? As
with everything if you do it absent-mindedly and click on the first item that
comes up you might end up with more than just the answer to your search, you
might end up with an infected computer.

You
should be able to answer yes to each of the questions below if not then don’t
click on the link.

  1. Is the text that shows up in the preview for the page grammatically correct?
  2. Is the domain a name that you recognize?
  3. Does the domain of the link end with a country tag that has a history of NOT being associated with malware?For
    the complete list of country abbreviations you can source on Wikipedia
  4. Does
    the domain name and the text describing the page seem logical? 
Warning:
don’t click on a link just because it piques your interest because it seems
such a random response to your search. 

Mark Twain
Cover of Mark Twain

Top tips from Google include:

  1. Simple one or two word searches give you the broadest results.
  2. Use common terms for example instead of my head hurts use headache.
  3. Use quotation marks around your search for an exact search. For example searching for “Samuel Clemmens” will not include results for Samuel Langhorne Clemens or Mark Twain.

The
best and easiest advice to give is limit your searching to trusted sites, not
search engines. If you always get your news from three places, go to those
places first when looking for news. If you usually rely on Wikipedia for your
facts, go to Wikipedia and search there. Find some safe zones that you know and
trust and stick to them. It’s when you stray and explore that you can get lost.

Our next blog in this series we’ll look at using WiFi
Enhanced by Zemanta

Hidden security costs: Should Huawei and ZTE be singled out?

the R&D building of Huawei Technology in Shenz...
the R&D building of Huawei Technology in Shenzhen, China. (Photo credit: Wikipedia)

We all
like the price of Chinese goods but now it seems there might be a hidden cost. 

 After
a year-long study the U.S. House Select Committee on Intelligence has warned Americans not to do business with Huawei or  state owned ZTE. When asked by CBS 60 Minutes, if he would do business with Huawei Mike Rogers replied, “If
I were an American today, and I tell this to you as the Chairman of the House Permanent
Select Committee on Intelligence, and you were looking at Huawei I would find
another vendor. If you care about your intellectual property, if you care about
your consumer’s privacy and you care about the national security of the United
States of America.” 

Huawei’s
security issues were also in the news as recently as this past July at DEFCON 2012. Computerworld covers the discussion and lists the main concerns as: there
was no specific contact for security issues, no security advisory updates and there
was no update on bugs found and fixed. The researchers couldn’t comment on any
issues with the “big
boxes” like the Huawei NE series routers because they couldn’t
obtain them. The article ended with a hope that Huawei would follow the lead of American companies like Microsoft, Cisco and Apple that had listened to consumer
demand and improved their security. 

These
are significant concerns being expressed that need to be taken
seriously especially when it comes to infrastructure. While we can’t
prevent cyber-espionage, are we giving them the keys to the vault by bringing
them into our data centres? There shouldn’t be any question of trust or security.

With
these concerns in mind the Canadian government is building out and replacing
their data systems that were “contaminated beyond repair” by massive Chinesecyber-attacks in 2010. Among the list of companies that is being considered for
this multi-billion dollar project is Huawei.  

While
the equipment may not have malware or vulnerabilities built into it now, it does have this
potential through updates and patches.While the Chinese
government may have no role in either of these companies now, they may in the
future.

We all like the price
of Chiese goods. What we might not like is the potential security costs.

What do you think? Should Huawei and ZTE
be singled out? Should the government source only domestic equipment?  Have they crossed the line by going public
with this? Is this a case of the
government meddling in corporate affairs or do you think the issues that were
reported at DEFCON and by the committee provide enough justification?

Enhanced by Zemanta