The Oil and Natural Gas industry this week unveiled a new Information Sharing and Analysis Center (ONG-ISAC) to facilitate the exchange of information, help evaluate risks, and provide up-to-date security guidance to U.S. companies.

Designed to help protect infrastructure from cyber-attacks, the industry-owned and operated organization will be structured similar to other industry ISACs in order to:

• Allow participants to submit incidents either anonymously or with attribution via a secure web portal;

• Circulate information on threats and vulnerabilities among ONG-ISAC members, other ISACs, vendors, and the U.S. government;

• Provide industry participants with access to cyber security experts;

• Alert participants of cyber threats deemed ‘Urgent’ or ‘Elevated’ in near real-time; and,

• Coordinate industry-wide responses to computer-based attacks.

According to the ONG-ISAC website, the organization will employ the Traffic Light Protocol for information sharing, with members having the option of submitting information either anonymously or with attribution. Only ONG-ISAC members will receive information that is classified as Red or Amber; non-members will only receive information that is classified as White, the organization explained.

Headquartered in Washington, D.C., the ONG-ISAC will offer member benefits including:

• Guided, anonymous information sharing via a secure web portal

• Automated sharing of machine-readable threat indicators

• Real-time notifications for near real-time analyses

• Open access to community leaders and security analyst experts

• Discover threats and vulnerabilities from ONG-ISAC members, other ISACs, vendors, and the U.S. Government, all in one place

• Coordinated response between members during industry incidents

The American Petroleum Institute (API), a national trade association representing the oil and natural gas industry with more than 600 members, expressed its support for the newly formed ISAC.

“Computer-based attacks are one of the fastest-growing threats to American businesses and infrastructure,” said API Vice President Kyle Isakower. “The center builds on existing programs to help companies quickly identify and respond to threats against energy production and distribution systems such as refineries and pipelines and stay connected with law enforcement agencies.”

Membership rates vary from $ 2,000 per year for organization with revenue of less than $ 250 million, to $ 50,000 per year for organizations with annual revenues over $ 10 billion.

Tags:

• NEWS & INDUSTRY
• Risk Management
• Security Infrastructure
• Management & Strategy

Media reports affirm that malicious insiders are real. But unintentional or negligent actions can introduce significant risks to sensitive information too. Some employees simply forget security best practices or shortcut them for convenience reasons, while others just make mistakes.

Some may not have received sufficient security awareness training and are oblivious to the ramifications of their actions or inactions. They inadvertently download malware, accidentally misconfigure systems, or transmit and store sensitive data in ways that place it at risk of exposure.

Personnel change too. Companies hire new employees, and promote and transfer individuals to new roles. They augment staff with temporary workers and contractors. New leadership comes onboard. Many of these insiders require legitimate access to sensitive information, but needs differ with changing roles, tenure, or contract length. It’s extremely challenging to manage user identities and access privileges in this environment, not to mention the people themselves. A person who was once trustworthy might gradually become an insider threat – while another becomes a threat immediately, overnight.

New technologies and shifting paradigms further complicate matters. The evolving trends of mobility, cloud computing and collaboration break down the traditional network perimeter and create complexity. While these new tools and business models enhance productivity and present new opportunities for competitive advantage, they also introduce new risks.

At the same time, you can’t ignore outsider threats which are responsible for the lion’s share of breaches. Since 2008, the Verizon Data Breach Investigations Report has shown that external actors – not insiders – are responsible for the vast majority of the breaches they investigated. Some of the top reasons why breaches were successful include: weak credentials, malware propagation, privilege misuse, and social tactics. These are precisely the types of weaknesses that trace back to the actions (or inactions) of insiders.

The question isn’t whether to focus on the insider or outsider threat. The question is how to defend against both – equally effectively.

What’s needed is a threat-centric approach to security that provides comprehensive visibility, continuous control, and advanced threat protection regardless of where the threat originates. To enable this new security model, look for technologies that are based on the following tenets:

Visibility-driven: Security administrators must be able to accurately see everything that is happening. When evaluating security technologies, breadth and depth of visibility are equally important to gain knowledge about environments and threats. Ask vendors if their technologies will allow you to see and gather data from a full spectrum of potential attack vectors across the network fabric, endpoints, email and web gateways, mobile devices, virtual environments, and the cloud. These technologies must also offer depth, meaning the ability to correlate that data and apply intelligence to understand context and make better decisions.

Threat-focused: Modern networks extend to wherever employees are, wherever data is, and wherever data can be accessed from. Keeping pace with constantly evolving attack vectors is a challenge for security professionals and an opportunity for insider and outsider threats. Policies and controls are essential to reduce the surface area of attack, but breaches still happen. Look for technologies that can also detect, understand, and stop threats once they’ve penetrated the network and as they unfold. Being threat-focused means thinking like an attacker, applying visibility and context to understand and adapt to changes in the environment, and then evolving protections to take action and stop threats.

Platform-based: Security is now more than a network issue; it requires an integrated system of agile and open platforms that cover the network, devices, and the cloud. Seek out a security platform that is extensible, built for scale, and can be centrally managed for unified policy and consistent controls. This is particularly important since breaches often stem from the same weaknesses regardless of whether they result from insider actions or an external actor. This constitutes a shift from deploying simply point security appliances that create security gaps, to integrating a true platform of scalable services and applications that are easy to deploy, monitor, and manage.

Protecting against today’s threats – whether they originate from the inside or the outside – is equally challenging. But they have a lot in common – tapping into many of the same vulnerabilities and methods to accomplish their missions. There’s no need to choose which to prioritize as you allocate precious resources. With the right approach to security you can protect your organization’s sensitive information from both insiders and outsiders.

Tags:

• INDUSTRY INSIGHTS
• Network Security
• Management & Strategy

Security vendor Fortinet released a survey that shows homeowners want to embrace the Internet of Things (IoT), but are worried about privacy and security.

In a survey of 1,801 homeowners, Fortinet found that 61 percent of U.S. respondents believe the connected house – a home where appliances and home electronics are seamlessly connected to the Internet – is “extremely likely” to become a reality during the next five years. Eighty-four percent of homeowners in China felt that way.

But the excitement over the prospect is tempered by security concerns. A majority of respondents (69 percent) globally said they were extremely or somewhat concerned a connected appliance could result in data breach of sensitive information. Among U.S. homeowners, the figure was 68 percent. When asked how they would feel if a connected device in their home was secretly or anonymously collecting information about them and sharing it with third-parties, 62 percent said they would feel “completely violated and extremely angry to the point where I would take action.” The strongest responses came from South Africa, Malaysia and the U.S., with the U.S. coming in at 67 percent.

Fifty-seven percent of respondents in the U.S. also agreed with the statement that “privacy is important to me, and I do not trust how this type of data may be used.”

“The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges,” said John Maddison, vice president of marketing at Fortinet , in a statement. “Crossing these hurdles will require clever application of various security technologies, including remote connection authentication, virtual private networks between end-users and their connected homes, malware and botnet protection, and application security − applied on premises, in the cloud and as an integrated solution by device manufacturers.”

Many of respondents said they felt they should have access to any data collected by a connected home appliance. Sixty-six percent said that only themselves or others whom they have given permission should have access to this information. In the U.S., the number was 70 percent, with about a quarter also stating they thought the device manufacturer or their Internet Service Provider (ISP) should have access to the collected data as well.

Forty-two percent said the government should regulate collected data, while 11 percent said regulation should be enforced by an independent, non-governmental organization. In the United States, only 34 percent of respondents felt the government should regulate collected data.

Still, the respondents felt the device manufacturers should be primarily responsible for securing the device if a vulnerability is found. Forty-eight percent of all those surveyed agreed that the manufacturer is responsible for updating and patching their technology. However, almost 31 percent responded that it was the responsibility of the homeowner to keep the device up to date.  

“The battle for the Internet of Things has just begun,” Maddison said. “According to industry research firm IDC, the IoT market is expected to hit $ 7.1 trillion by 2020. The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

Growing up, one of my father’s favorite sayings was “luck favors the prepared.”

I must have heard it a thousand times over the years. It was almost always spoken just after some sad scenario where I had failed to stay alert, informed and aware, thus my ending up at a loss. Sometimes a big loss. It was his belief that, if you’re always broadly observant of things that affect your life, good things have a better chance of happening to you. He has always been right.

Nowadays, I find myself applying this lesson to cybersecurity and cyberdefense.

More than just nifty tools and solutions, robust IT budgets, threat intelligence firehoses and rigid security policies, I’m learning over and over again that practical, habitual day-in/day-out awareness is invaluable at helping you avoid becoming a victim of cybercrime – and lessening the impact when cybercrime inevitably happens to you and your organization.

Cybercrime is all around us.

One day it may become second nature to stay constantly informed about cyber risks facing us and our businesses. We’re certainly not there yet. Sooner or later, we may all need to get used to the idea of constantly consuming data about our risks and vulnerabilities in order to act safer. It’s likely sooner rather than later. To really accomplish this type of awareness, though, takes the right levels of information. Not just data. In fact, we’re all awash in data. But more on that later.

What we need is high-quality cybercrime information that’s comprehensive, yet also focused and simple to digest. Information that’s current, consistent, intuitive, continuous and, most importantly, easy to draw conclusions from that have meaning specific to you, your business and the decisions you face. It’s what I call “complete context.”

And there’s more.

To truly benefit from this sort of information takes more than just the info itself. Just as my father also told me, it takes focus, effort and commitment. Every day. Something he just called “hard work.”

Current Data + Contextually-Relevant Info + Continuous Awareness + Hard Work = Practical Solutions

Of course, the familiar modern-day version of my father’s favorite is “Chance favors a prepared mind” said by Louis Pasteur, French microbiologist, father of Pasteurization, and father of the Germ Theory of Disease. For Pasteur, the saying meant that, by staying diligently informed of all things surrounding your problem space, you’ll more quicker see solutions for tough problems.

For years and years he labored at the microscope, observing, collecting data and analyzing. But it was his devotion to basic research on more than just the problem itself – and the quick delivery of practical applications based on what he learned –  that led him to his biggest breakthroughs against unseen and deadly illnesses. Eventually, thanks to Pasteur’s way of working, we developed critical medicines such as antibiotics.

Studying a problem from every angle and every level always leads to more practical solutions and quicker (re)action.

Although Pasteur labored in the medical and biological fields, his work was in many ways analogous to modern cybersecurity. Today, scientists and researchers battle similar unseen forces, all around us, making us sick in various ways. Our networks and computers and mobile devices are constantly exposed to harmful pathogens and viruses. And, with the Target breach and things like Heartbleed, real people now know these things are fatal in their own way.

But in today’s world, we seem to have gone off track a bit in trying to cure our cyber ills.

In perhaps what was much the same as in Pasteur’s day, many smart people today labor to observe, collect data and draw conclusions. However, most of them, unlike Pasteur, are not able arrive at real practical breakthroughs that change the world.

Why is this the case?

For me, it’s mostly a simple answer:

We focus so much on looking down the barrel of individual microscopes, we get lost in all the low-level noise that’s far too focused on only a few dimensions of the problem.

Let me use Pasteur again to explain more simply.

Had Pasteur only observed the smallest bits floating around under his glass, he would’ve likely not been remembered in history. Instead, Pasteur gathered data about sick people, who they were, where they lived, how old they were, what gender, what symptoms they had, what prior illnesses they had been subject to, what their jobs were and what they had in common.

He observed animals, how they behaved, how long it took for them to become sick when they did, what they ate, where they lived and more. He even observed how rotting meat behaved, how it decomposed, how it compared to other plant and animal matter and on and on. He focused on all sides of the issue; the causes, the victims and, of course, their symptoms. Pasteur observed every facet of his problem set from high level to low, and turned basic data collection – from many dimensions at once and from all angles – into information he could use to draw practical conclusions.

Put simply, Pasteur had complete context by performing “intelligence gathering.” But, by focusing on more that just the threat itself, Pasteur was one of the first practitioners of risk analysis, or risk intelligence. It’s something we’ve only just begun to really apply to cyberdefense.

Continuous awareness of our own cyber risks compared to what’s possible and what’s happening around us right now is one of the missing pieces in current cyberdefense practices.

Today, we spend most of our cybersecurity efforts and dollars gathering massive amounts of data from millions of “microscoped” sources, but we rarely change perspectives or levels. We want to know what’s threatening us, but can’t seem to understand the picture is much bigger. Too rarely do we push back from the lenses trained only on data sets inside our specific organizations to pick our heads up and look around.

I like to call it “cyber navel gazing.”

You see, outside the microscope, there’s just so much other useful data – mostly not being stored and analyzed – that can be turned into helpful information, then into practical solutions.

Yet, we continuously employ 10s of 1000s of myriad tools, solutions and applications that comb through huge bins of raw packet data and endless streams of netflow and long-term signature repositories and terabytes of log files and interface dumps and more.

In fact, it’s as if all we do is peer through the scopes at our own micro worlds and draw conclusions that themselves lead to other tools begetting other massive piles of micro data.

Are these things all bad? Of course not. And they’re all part of fighting the fight against cyber disease. But in all of this we miss out on the bigger picture. Rarely do we store data, day in and day out, on what we’re getting hit with, how threats are occurring and what’s happening as a result. Neither are we matching that up to what our specific, individual symptoms are, who we are as targets, where we’re from, what types of companies we are, who our customers are, what technologies we’re using and on and on.

What would Pasteur say to us now if he were brought in to consult on our cyber sickness?

He’d probably just say, “Luck favors the prepared.” Then he’d tell us to start over. From the top this time.

Tags:

• INDUSTRY INSIGHTS
• Network Security
• Security Infrastructure

BOGOTA – A Colombian judge Monday ordered freed an alleged hacker accused of spying on President Juan Manuel Santos’ government and sensitive peace talks, his attorney said.

“The judge determined that there was insufficient evidence to keep him detained” Bernardo Alzate, attorney for Andres Sepulveda, said in an interview with Cablenoticias.

Sepulveda, a systems engineer who worked on the campaign of Santos’ presidential rival Oscar Ivan Zuluaga, was arrested May 6 for allegedly hacking Santos’ email and communications of the FARC rebel group related to peace talks in Havana.

Alzate said his client would be freed Monday and that the charge against him also was being dropped.

The government has been engaged in peace talks with the FARC since November 2012, and Santos has made the effort a central feature of his presidency and his bid for re-election in a May 25 runoff.

The talks are vehemently opposed, however, by Zuluaga and his most important backer, former president Alvaro Uribe.

Santos and Zuluaga are running neck and neck according to the pollsters.

Tags:

• NEWS & INDUSTRY
• Cybercrime

Survey Shows IT Security Pros Aren’t Getting the Business Expertise Skills They Need at Their Current Companies…

With information security initiatives becoming more prominent in organizations, now is a good time to be an IT professional. However, organizations who don’t invest in their personnel run the risk of their experts moving elsewhere.

IT professionals are noticing a significant change in how they are regarded within their organizations, according to the latest research report from Wisegate, a private practitioner-based IT research services group. Instead of being treated as a nuisance or necessary evil, IT is increasingly being integrated into and respected by the business, according to the respondents—senior IT practitioners across a variety of industry sectors—who participated in the Wisegate survey.

But there is a gap somewhere, as many of the 362 IT professionals surveyed were looking for opportunities outside their organizations. Almost half of the respondents felt their organizations did not offer the opportunities they needed to advance in their careers. Two-thirds of the respondents said they expected to move on to another organization within the next two years. Respondents weren’t just anticipating events beyond their control, as nearly half said they wanted to move within the year.

“The fact that two-thirds of the IT employees are waiting to walk out the door is a far bigger risk [for organizations] than the next cyber-attack or a data breach,” Sara Gates, founder and CEO of Wisegate, told SecurityWeek.

A Good Work Environment

Security practitioners aren’t looking elsewhere because their organizations were ignoring their concerns or downplaying the importance of security. In fact, 72 percent of Wisegate respondents said their organizations took IT “very seriously” or “somewhat seriously,” according to the report. What was even more significant was the fact nobody reported “not at all seriously” to this question, the report’s authors noted.

“This makes particular sense considering the shadow recent high-profile IT security incidents have cast, as well as the growing importance of mobile, apps and cloud as key business decisions that rely on IT to be successful,” the authors wrote.

A little under two-thirds of the respondents said processes at their organizations were “somewhat flexible” or “somewhat rigid,” according to the report. This means the IT processes aren’t treated trivially, nor are they “cast in stone and impossible to change” when necessary. This kind of environment “is actually ideal for IT professionals as they work to ensure stability and order at their places of work, even as technologies and new risks require them to frequently adapt,” the authors concluded.

“Business perception of IT security is at an all-time high, making security professionals more valuable on the market,” Gates said.

Soft Skills Wanted

IT professionals are discovering their place in the business, their ability to affect the business, and their career options are changing. However, only 34 percent felt there were opportunities to advance in their current organizations, and 47 percent felt they would have to “leave my current company in order to move up the ladder,” according to the report. And lest anyone accuse these professionals of chasing a bigger paycheck, respondents to the Wisegate survey ranked “more money” sixth out of a list of eight reasons to move.

Instead, the Wisegate participants were interested in having more opportunities to learn, facing challenging work opportunities, and receiving positive feedback from the business side of the organization. IT professionals recognize they have to develop the soft skills necessary to work effectively with their non-IT counterparts.

Organizations interested in retaining their security staff need to look at the talent pool in a smarter way, Gates said. Developing technical skills, while important, is no longer enough. Programs focusing on soft skills such as effective communication, presentations, and negotiation are important. Organizations also need to open up internal opportunities to grow and advance. These security practitioners were “very focused on the [soft] skills they need; they are self-aware,” she said.

There is no need for the “lens of fear,” or worrying that investments would be wasted because the practitioners are going to leave anyway, Gates suggested. Since investments accumulate, organizations can spread out initiatives over a five-year program. One or two changes each year will be more effective than trying to throw together a lot of programs with varying levels of effectiveness. “It’s time to ask, ‘What’s the one thing you need to grow in your career?’ We need to build relationships,” Gates said.

The report was very clear: IT security professionals aren’t getting the business expertise skills they need at their current companies and positions, and are therefore looking elsewhere. IT professionals are in the position to gain and exert influence within their companies, and the way to stop the security exodus is to provide those opportunities internally.

“As their ability to interact grows, this can only be good for the business,” the report concluded.

The full report is available online (PDF) from Wisegate.

Tags:

• NEWS & INDUSTRY
• Email Security

Mojave Networks Introduces Mobile Application Reputation Feature

Mojave Networks has added a new feature to the company’s professional and enterprise services in an effort to help organizations minimize the risks posed by the mobile applications used by their employees.

According to the company, organizations can use the new feature to discover potential risks by analyzing data collected and transmitted from mobile apps, and create policies for data loss prevention based on the information.

The new mobile application reputation offering, which is available immediately, includes features like customizable analytics, categorization of apps by risk level, application tracking, and integration with device management and network security solutions.

“The ‘bring your own device’ (BYOD) trend is transitioning to ‘bring your own applications’ (BYOA) as users download more and more apps to share data, increase productivity and stay connected,” noted  Garrett Larsson, CEO and co-founder of Mojave Networks.

“If any application running on a mobile device connected to the network is insecure, it can put highly sensitive corporate data at risk. Our new application reputation feature can help enterprises improve their mobile security posture by eliminating the risk of insecure applications.”

The company analyzes over 2,000 mobile apps every day by tracking 200 individual risk factors in 15 different categories. In addition to static and dynamic analysis, Mojave Networks said that it uses data from real-world usage of the tested applications to determine if an application is safe.

One risk that’s particularly problematic for enterprises is when private data is collected and sent to remote Web APIs, the company warned.

“Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools,” Ryan Smith, Mojave’s lead threat engineer, explained in a blog post.

Based on the analysis of more than 11 million URLs to which mobile apps connect to, Mojave Threat Labs determined that business users connect to at least as many data-gathering libraries as consumers. During its analysis, the company found that 65% of applications downloaded by business users connect to an advertising network, and 40% of them connect to a social network API.

“It is critically important that users and IT Administrators understand what data is being collected from their devices, where it is being sent, and how it is being used. Given that the majority of the sensitive data being collected occurs within these third party libraries such as ad networks, social media APIs, and analytics tools, it is therefore important to fully understand each of the libraries included in your mobile apps,” Smith noted.

Founded in San Mateo, CA in 2011, Mojave Networks raised a $ 5 million round of funding in November 2013, in addition to launching a cloud-based, enterprise-grade solution that protects mobile devices starting at the network level. 

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Privacy
• Data Protection
• Mobile & Wireless

WASHINGTON – The US National Security Agency is scooping up large quantities of images of people for use in facial recognition programs, the New York Times reported Sunday, citing top secret documents.

The Times said documents, which were obtained from fugitive former US intelligence analyst Edward Snowden, show a significant increase in reliance on facial recognition technology at the agency over the past four years.

The report said the NSA was using new software to exploit a flood of images included in intercepted emails, text messages, social media posts, video conferences and other communications.

It cited leaked 2011 documents as saying the NSA intercepts “millions of images per day,” including 55,000 “facial recognition quality images.”

The images represented “tremendous untapped potential,” according to the report, which said NSA officials believe advances in technology could revolutionize the way the agency finds intelligence targets.

“It’s not just the traditional communications we’re after: It’s taking a full-arsenal approach that digitally exploits the clues a target leaves behind in their regular activities on the net to compile biographic and biometric information” that can help “implement precision targeting,” a 2010 document quoted by the newspaper said.

The Times said it wasn’t clear how many people, including how many Americans, had been caught up in the effort, but noted that neither US privacy laws nor US surveillance laws provide specific protections for facial images.

A NSA spokeswoman said, however, that the agency would be required to get court approval for imagery of Americans it collects through its surveillance programs.

The agency has been at the center of controversy over the scope of its global electronic surveillance program since they were first revealed by Snowden in June 2013.

The former intelligence contractor is in Russia, where he was granted temporary political asylum last year.

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement