Security breaches: Who’s to Blame? - DMI. The Internet of Things (IoT) to get Hacked | DMI. Bringing Framework to Mobile Security | Cyber Security | DMI. DMI's Rick Roach on cyber and more. Cybersecurity Solutions Government Insights. Don't Get Caught with One Hand in the Cookie Jar - DMI. Safe Harbor: A Call for Powerful Privacy Solutions. Security breaches: Who’s to Blame? Privacy in Pole Position.
The Internet of Things (IoT) to get Hacked | DMI. Innovation through Hackathons – A 3-Step Guide. Cybersecurity Solutions. Do you Really need a Blackphone? DMI Integrates Privacy Offering to Provide Guidance and Strategic Input to Enterprises. 2015: AFCEA Defensive Cyber Operations Symposium. Important Update: The AFCEA Defensive Cyber Operations Symposium has been rescheduled for June 16-18 at the Baltimore Convention Center. We are happy to share this news and look forward to a successful event. Our mission partners remain strongly supportive and will be with us in Baltimore.
The U.S. Defense Information Systems Agency’s new operational role in the cyber domain as network defender creates a formal relationship between DISA, U.S. Cyber Command and the command’s military service components. Linked by a commitment to cybersecurity, this community of partners will gather at the 2015 Defensive Cyber Operations Symposium June 16-18, 2015 at the Baltimore Convention Center, Baltimore, Maryland. The operational theme centers on the teamwork, relevant guidance and priorities, and associated perspectives of mission partners united in the development of an integrated approach to operating and defending the network.
Participants will include: Thank you to our Sponsors... Security Education, what is the right approach to train developers? In a feature article on the Software Advice website about the Future of Security Education, I was part of a small group discussing the problem of producing better developers who can code more securely to help alleviate the application exploits we are seeing in the headlines. Our discussion started from three suggestions to improve security education by Jacob West, CTO for enterprise software for HP: require security training for new hires; adopt a professor (industry take a few professors and indoctrinate them in proper application security methodologies); and third, Integrate security into existing frameworks. These are all prudent suggestions, but the challenge is larger than that, and these may work better on paper than in practice.
As an example in the article, Jeff Williams, CTO of Aspect Security noted that SQL injection, which is a prevalent application attack vector has been around for over a dozen years, still hasn’t been weeded out of software being developed even today. New York City Taxi movement data, reveals more information than you think, if you use it right. Same goes for Security Event data. In a very interesting and detailed blog post, a researcher at Neustar performed analytics on the open source data provided by the New York City Taxi and Limousine Commission logging all trips driven by NYC taxis in 2013. The access to this information can be tremendously useful for city planning to determine traffic patterns, time and seasonal differences in traffic, which roads are used most, that might require more timely maintenance, etc.
But, as this researcher highlights, if you correlate this data with other public data, such as a Paparazzi photos of a celebrity getting into a cab during that timeframe, you can discover where that person went, how much the cab ride cost, and even what they tipped. Now to be clear, this is 2013 data, so risks of knowing where someone went almost two years ago is not high, but it highlights the privacy risks of derived data. What I find smart about this is the intelligence gathering approach the author conducted. Back to Blog. Bringing a Framework to Mobile Security. I’m often asked, “What is the best tool to secure my mobile devices?” My answer is always: “Secure from what?” Unfortunately in the security industry, people equate security with tools, and happily buy technologies with claims of protection instead of determining first as to what do they need to be protected from? But the right way is focus less on the capabilities of technology, and more on the business security requirements.
There are many pieces to the mobile security puzzle, such as data protection from unauthorized access, strong credentials, application security, privacy, threat of theft or loss, etc. Each of these has a different approach to manage, and an organization needs to prioritize their requirements before looking for tools. One way to help prioritize is by making sure you have considered all security areas of control.
Core to all security is developing an understanding of what you have, and what is its current state. Back to Blog. Mobile Application Security | Mobile Malware | DMI Blog. On Thursday August 14th I’m speaking on a webinar for the Multi-State ISAC about Mobile application security. The webcast is at 2pm EDT, link to register here if you are interested. This is the third time I’ve supported webcasts for the MS-ISAC, (previous webcasts were about APT in December 2013, and Risk Management from December 2010), but this is the first time I’m the sole presenter, for which I’m honored.
The MS-ISAC is the cyber security information sharing and collaboration body for state, local and tribal governments. It plays a critical role in helping these, often underfunded, organizations by providing alerts to cyber threats, by coaching how to mitigate them, and by providing critical security training to help improve their capabilities. My topic is about application security, with focus specifically on mobile. Mobile apps are really mostly web application infrastructure.
I read a very interesting mobile malware blog post last week. Back to Blog. Is Your Cat Selling You Out? WWDC & IoT & Security – Should I Cringe Now? Earlier this week Apple had the kickoff of their Worldwide Developers Conference (WWDC), which is always interesting to watch where they highlight what new features will be coming out in their operating systems, and new tools they have created for developers to continue to make more apps.
This year, the themes were device integration, collaboration, and extensibility. All things that make a security guy cringe. Apple is moving to more collaboration among their devices, and extensibility to allow apps to interact with each other, whereas they were sandboxed before. New enhancements will enable collaboration among your family members to share photos, music, apps, and calendars seamlessly. They also announced their platform, Healthkit for health monitoring on the mobile device. It’s not unique to Apple; Google and Microsoft are walking down the same path as well, where all our personal devices are seamlessly connected with each other and with IoT devices around us. Back to Blog. The Internet of Things to get Hacked. Verizon Data Breach Report – What’s interesting? I used to work in the security practice at Verizon Business in the mid 2000s.
I was there when Verizon bought Cybertrust, and inherited the forensics team from whose efforts the Verizon Data Breach Investigations Report (DBIR) data is derived. When they put out the initial report in 2008, it was the first time someone in the security industry had analyzed and published real data from real breaches. Previously, and today, most annual security “threat” reports use vulnerability data, malware counts and behaviors, surveys of customers, or general threat activity, but not the root causes of those ills as their source. Early on, the DBIR was biased towards the financial industry since many of the cases The Verizon Forensics team had analyzed were credit card breaches.
But they had a good vantage point to see what was really being affected, not just speculation on trends from what customers say, or numbers of new malware in the wild. So what is interesting in this year’s report? Back to Blog. Internet of Things Privacy Conference. Last week, I participated on a panel for the TRUSTe Internet of Things (IoT) Privacy Summit at a beautiful resort in Menlo Park, California. The event brought together people from many different companies, large and small, as well as privacy advocates and legal experts. Videos of the event can be found here. The consensus perspective at the conference was that soon all of our electronic devices will be connected spanning across smart meters in our homes, smart thermostats on our walls, and wearable devices on our wrists sending health information to our smartphones.
So, someone needs to ensure privacy is being addressed. Organizations want to mine that data for analysis. We specifically had discussions about perspectives of millennials, who appear to be less privacy focused and seem to accept all uses of their data. What we were striving for is that companies and developers build privacy into their products instead of trying to bolt it on at the end. Back to Blog. Ransomware. Today we’ve just gone through Cryptolocker, which was the most advanced and effective ransomware tool to date, garnering over $100 million from businesses and consumers worldwide. And we recently saw the first widespread mobile ransomeware for Android users ANDROIDOS_LOCKER.A , eventually catching the guys who did it here. The point to this history lesson is even though these Trojans are not stealing data, or passwords, or credit cards, they have impact on the enterprise, and individuals. This is due to loss of productivity and/or the actual cost of paying the ransom.
Imagine if this happened to your personal PC, which stored decades of your family photos, or imagine if the only draft of that critical proposal was on your corporate laptop that was infected by Cryptolocker. The impact would be significant if you did not have a backup. Security is more than protecting data, it’s also about maintaining access to data used for the business, and ensuring that data is accurate.
Back to Blog. Security breaches: Who’s to Blame? Last week, I participated in a webinar about SC Magazine’s Breach Survey. The survey was sent to a group of Chief Information Security Officer’s and included security-related questions, such as: Do you think your company is taking steps to protect critical data? 89 percent say they are. What is your security staffing makeup? 91 percent say they have the same level or have increased staff to support IT security. Have you strengthened security awareness training for employees?
So, why are we not making any progress in preventing intrusions? According to the SC Magazine survey, we are all doing something; but we aren’t doing the “right” something. Recently, I’ve updated my analogy to create a comparison to the weight loss industry. This brings me to the real problem: we are afraid to change. The short answer for your health is to go to your doctor and listen to what s/he tells you to do to improve your health. . - Rick Doten, DMI CISO Back to Blog. Cybersecurity Innovation Forum Recap with Rick Doten. This week I presented “Bringing Trust to Mobile Application with Hardware-Based Security,” which I know seems like a very dry topic, but seemed to have been appreciated by my audience at the Cybersecurity Innovation Forum, held in Baltimore.
My perspective was that with native mobile applications we have the opportunity to better secure them by leveraging security features of hardware, such as certificate storing, or validating components are trusted, (by using non-corruptible hardware components). This is the core of Trusted Computing, starting with a international standard Trusted Platform Module (TPM), that is a read-only chip that stores a certificate that can be used to validate other hardware and software components on a system. TPMs have been around for over 10 years, but not yet widely used. Most notable implementation is with Windows 8 for license management, and for storing of the key for Bitlocker disk encryption under Windows 7 and 8.
Back to Blog. Duh! They Still don't get it! | A CISO's Perspective on RSA. The RSA Conference in San Francisco is the premier security conference here in the US. Vendors from around the world come to show their latest technology, and test their new marketing messages. Savvy conference attendees bypass large booths owned by major security vendors and work their way to the edges where numerous small vendors who often have new or unknown, yet interesting and innovative technologies. To me, these small vendors are far more attractive because they are hungry to share their ideas. They are happy to give you details on why they created their solution and what current problems they are looking to solve or close a current security gap. They are also usually staffed by an engineer with a Santa beard wearing sandals ready to talk in-depth about the technology, as opposed to the larger vendor booths that have pretty ladies trained to communicate a scripted message.
Rick Doten Back to Blog. Do you Really need a Blackphone? Edward Snowden spoke at SXSW conference. He obviously didn’t fly to Texas, but instead spoke over Google Hangout from somewhere in Russia. Many people’s perception of Snowden has evolved over the past year; some still see him as a traitor who has done un-repairable damage to the US Intel gathering community and compromised many people’s lives. On the other hand, some people view him as a hero, who uncovered misuse of personal information and helped change an industry’s perspective on privacy by encouraging large companies, like Yahoo and Google, to implement encryption to protect customer access. A few weeks ago at Mobile World Congress (MWC), Blackphone, which claims to be the “world’s first smartphone to put privacy and control ahead of everything else” was being showcased.
Since then, we have seen two other phones announced in the press – The FreedomPop Privacy Phone (aka Snowden phone) and The Boeing Black, which boast about more secure Android platform. Back to Blog. RSA Mobile Security Panel | Rick Doten. On Monday, February 24, I’ll be speaking on a panel at the RSA Security Conference in San Francisco on a panel about Mobile Security. This talk is part of the Trusted Computing Group (TCG) Association Seminar series.
Additionally, I recently have had the good fortune of being elected to be a Contributing Board Member of the TCG. Topic of our panel’s discussion is titled “Mobile Device Security: Fact or Fiction”. The title of the discussion is ironic in itself in that there is a presumption that mobile devices can’t be secured. I believe this confusion arises because folks aren’t asking the right question: “secure from what?” I will be talking specifically about mobile application security. Back to Blog. The Critical Security Controls for Effective Cyber Defense. The Critical Security Controls for Effective Cyber Defense version 5.0 was released for public comment at the beginning of this month by the Council on Cybersecurity. These controls represent 20 areas that organizations should regard when putting together their security programs, and provides guidance on how to measure the presence, appropriateness, and effectiveness of technology and procedural controls for each area.
While there are many cyber security standards, regulations, and guidelines, these controls provide a good foundation to develop controls than can be mapped to your industry or organizational security and privacy requirements. Rick Doten, DMI Chief Information Security Officer (CISO), is a member of the panel to update and maintain these controls. Generally, this version has been organized to be more convenient to use as a reference, with more clear headings and the use of tables. Back to Blog.