Search Results

By Chris Blask, Global Director Industrial and IoT Security at Unisys, (CS)²AI Fellow October, 2020 Maintaining visibility into the inventory of assets, supplies, and products entering and leaving industrial operations has been a key to reliable operations since the dawn of infrastructure. The proliferation of digital devices combined with the advantages of adaptive supply chains has put a sharp point on the need to evolve this practice significantly. Initiatives across public and private sectors over the past decade have laid the groundwork for the automation of high-surety attestation sharing among supply chain partners, with early adopters leveraging these systems to gain competitive advantages today. Tracking any item in a supply chain comes down to three simple questions: - What is being written? - Where is it being written? - Who gets to read it? With digital assets being used throughout industrial systems at increasing rates, and these assets becoming increasingly complex and capable, the traditional manual methods of tracking have been overwhelmed by volume and speed. Individual supply chain operators have evolved bespoke solutions to the challenges presented, but these do not translate upstream to their suppliers or downstream to their customers. Critical issues such as locating and remediating flawed software, hardware, or materials is still done with manual effort of individuals searching documents and exchanging emails. Due to a variety of related efforts over the past ten years, answers to these three supply chain questions have been developed that together form a functional system of attestation, sharing, and policy that is today being used by supply chain partners. Industrial operators and the subject matter experts they work with should begin integrating these structures into operational planning and execution of public and private systems. “What is being written?” - The necessity for reliable provenance for software has led to common taxonomies to describe sources and components. The Linux Foundation Software Package Data Exchange (SPDX) program has developed mature common taxonomies for open source software, which are being used in the US Department of Commerce Software Bill of Materials (SBOM) initiative alongside taxonomies from MITRE and ISO. There is workable agreement on What is to be written down to share attestations. “Who gets to read it?” - The necessity to ensure compliance with GDPR data privacy laws has led Bosch and partners to develop a policy framework for the handling of sensitive data produced and consumed by IoT devices. The Digital Trust Forum (DTF) provides a policy framework that is being applied to the creation and management of supply chain data shared in public and private channels, to answer the question of Who gets to read What. “Where is it being written?” - The Digital Bill of Materials (DBoM) Consortium is a Linux Foundation project that provides the backbone for attestation sharing among supply chain partners, created by Unisys in partnership with the aforementioned entities and other supply chain operators. Open source DBoM Node software will be available through the project in Q4 2020 to enable any organization to create or participate in attestation-sharing channels with supply chain partners. This common backbone answers the question of Where attestations can be shared. The DBoM Consortium will maintain processes to select common taxonomies so partners know What they are sharing, and common policy structures that ensure only those Who are authorized can access them. The economic drivers of Industry 4.0 and IIoT mandate the adoption of increasingly complex operational systems. To remain competitive industrial operators must reduce the effort needed to track an increasing quantity of assets, while increasing their ability to identify and remediate risks. If you have a duty to protect critical infrastructures, the time has come to automate the supply chains you rely on.

By Derek Harp, (CS)²AI Founder, Chairman and Fellow October, 2020 Dear Colleagues, Control systems have become vital to ensure that our daily lives run smoothly, not only the obvious industrial applications like supplying power, fuel, or manufacturing products, but also running healthcare, transportation, building control, and logistics technologies. Essentially, more of our modern world is being automated and connected than ever and some projections indicate we could see more than 64 billion IoT devices worldwide by 2025*. At the same time, it is well known in the cybersecurity field that we have a longstanding workforce problem. In the research for our upcoming 2020 Annual Report, 58% of respondents cited insufficient security expertise as the greatest obstacle to resolving control system cyber security vulnerabilities. For many people not directly involved in this area the concern may be unknown, at best a distant concern unrelated to our common future; a future of critical reliance and vulnerability and not enough trained and knowledgeable people to keep up with attackers. It’s already whack-a-mole and with a steadily increasing “AS:QW” Ratio (attack-surface to qualified-worker) it is easy to see things going from challenging to worse. The exposure list is long and stakes are growing higher. Safeguarding operational assets from persistent threats while also moving our core business functions forward (maximizing efficiency, real time intelligence, system uptime, etc) is no small task. So, can we do anything about it? (CS)²AI members say yes. Undoubtedly some of the solution will come in the form of emerging or yet to be built technology as we currently rely on too many humans in the middle. However, in all scenarios we can and MUST do more to recruit, train, equip, and support the cyber workforce of tomorrow. We all must invest more in: Education (formal, degree programs, informal, continuing ed.) Measurement (knowledge and practical) Training (OJT, hands-on, in the field, Lab) Network strengthening (with real information, data, and knowledge sharing) Better job placement (efficiency, reach and transparency of qualified candidates) Certainly, education and training come in many forms, from activities like the (CS)²AI Online™ sessions we run multiple times a month to formal classroom or hands on lab training offered in the market place. It is clear we need more training that is appropriate for diverse roles, easily accessible, affordable and reinforced with real world applications. For our contribution, (CS)²AI will continue to expand our own educational opportunities and remain committed to a role of providing access to the wisdom of the few for the benefit of the many. We also see one of the roles of our association is to arrange relevant industry benefits on behalf of our Global Members and today I am proud to announce a new education & training discount partnership with The Mission Critical Institute. Finding the right person in the proverbial haystack is not easy. I am frequently contacted to help with searches and some of them had lasted far too long trying to fill the position. Its also common to see inadequacy of talent (or poor cooperate HR policy on salary bands) lead to filling a position with the wrong person. In our space the unicorns that truly understand IT, cybersecurity broadly AND the intricacies control systems are rarer, more expensive and often hard to identify. (CS)²AI wants to help with that and today, I am proud to announce that the new (CS)²AI Job Board (Version 1.0) is now live with more than 40 jobs now listed. All members of the community at large can see the listings and our Global Members are able to apply directly for jobs from the member portal. Helping directly address the workforce problem is THE reason why we founded (CS)²AI. Our mission to provide the platform for members to help members, foster meaningful peer-to-peer exchange, continue professional education and directly support cyber security professional development is something we can do together to make a dent in this problem. There is a great quote that sums up what we can do here together: “The whole is greater than the sum of its parts” -Aristotle In the end (CS)²AI is only as effective as its members helping members efforts are. When you join the (CS)²AI community as a global member, partner, contributor, committee member, (CS)²AI Fellow or research participant YOU impact the community personally. I am especially grateful for our Strategic Alliance Partners for their vision in our early years. In our case their support of our not for profit association has not been solely for business development purposes but these companies also are planting a stake in the ground that addressing the workforce challenge is important. By pooling and coordinating time and resources we can increase the magnitude of the impact. If you have not already added your voice to our discussion, I invite you to Join Today If you would like to do more you can also review multiple ways to Get Involved on our global website. Regards, Derek Founder & Chairman *https://techjury.net/stats-about/internet-of-things-statistics/ ***Copy and Paste Links**** https://www.cs2ai.org/cs2ai-online https://www.cs2ai.org/member-benefits https://www.cs2ai.org/jobs https://www.cs2ai.org/memberbenefit-mission-critical https://www.cs2ai.org/get-involved https://www.cs2ai.org/plans-pricing

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.infosecurity-magazine.com/news/cybersecurity-firms-expose/ By Phil Muncaster 9/8/20 Nearly all cybersecurity companies have exposed sensitive data including PII and passwords online, according to a new study from ImmuniWeb. The security vendor selected 398 of the world’s top security vendors and then scoured surface, dark and deep web sites including hacking forums and marketplaces, WhatsApp groups, public code repositories, social networks and paste websites. It claimed to have discovered verified sensitive data over 631,000 times, with 17% of these “incidents” estimated to have critical risk. This means they included logins with plaintext passwords, or data leaks such as PII and financial records that are recent and/or unique. In total, the research revealed PII and corporate data accounted for half (50%) of all incidents, with credentials taking 30% and backups and dumps 15%. Also concerning is the fact that 29% of the discovered passwords were “weak” — i.e. they featured less than eight characters, with no uppercase, no numbers and no special characters. In 41% of companies studied, employees were found to have reused passwords on different breached systems, further exposing their organization to breach risks.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.meritalk.com/articles/cisa-director-lists-nation-state-actors-cybercriminals-disinformation-as-top-covid-attack-vectors/ By Katie Malone 9/8/20 Assessing the current threat landscape six months into the COVID-19 pandemic, Director of the Cybersecurity and Infrastructure Security Agency Christopher Krebs listed nation-state spies, cybercriminals committing fraud, and the spread of disinformation as top cyberattack vectors. “The intelligence services are doing what they always do. Spies are being spies,” Krebs said at the Billington Cybersecurity Summit today. “They’re looking to collect information on what’s really going on in the country, what’s the status of the vaccine development, what’s the economic health of the country, what are the policies that are shifting.” Krebs raised concerns with China and Russia-based actors as leaders of spy activities.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.darkreading.com/attacks-breaches/cyber-risks-explode-with-move-to-telehealth-services/d/d-id/1338890?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple By Jai Vijayan 9/10/20 The hasty shift to online delivery of primary care services since the COVID-19 outbreak has attracted significant attacker interest.  The mass adoption of telehealth applications and services in the months since the COVID-19 outbreak began has introduced new cyber-risks within the healthcare industry. New research by SecurityScorecard and Dark Owl found that the rapid onboarding of technologies for enabling the delivery of health services online has significantly broadened the attack surface at many healthcare organizations, putting both patient and provider data at risk. SecurityScorecard and DarkOwl analyzed data related to the use of telehealth products from 148 vendors by healthcare providers around the country. Prior to the pandemic, the use of such products hovered at less than 1% of the overall visits to healthcare providers by people seeking access to primary healthcare services. The public health emergency prompted by the pandemic resulted in primary care visits dropping precipitously after mid-March, while the use of telehealth apps soared 350%, SecurityScorecard said, referring to a report from the US Department of Health and Human Services. The speed at which the transition to online health-services delivery happened left little time for healthcare providers to properly vet telehealth products for security issues or to ensure their safe use, says Alex Heid, chief R&D officer at SecurityScorecard. "We examined the 148 most popular telehealth apps from a number of angles, and there are concerns across the board, from the development, deployment, and configuration of the applications themselves, as well as the digital supply chain that supports them," Heid says. To assess the increased risk from telehealth apps, SecurityScorecard and Dark Owlexamined the increase in security alerts sent by users of these apps to IT staff at their respective organizations. The two companies compared data from September 2019 to February 2020 and from March 2020 to April 2020. For the study, they looked at a variety of alerts, including those related to IP reputation, patching cadence, endpoint security, DNS health, application and network security, and leaked credentials. For example, for patching cadence, analysts from SecurityScorecard and Dark Owl looked at the number of alerts that were sent to IT staff involving irregularly installed or missing patches. The analysis uncovered a 117% increase in IP reputation alerts, a 65% increase in issues involving patches, and a 56% increase in endpoint alerts. The study revealed similar increases across every other single risk vector. Application security alerts, for instance, increased 16%. FTP issues jumped by 42%, and alerts related to the frequently abused Remote Desktop Protocol (RDP) went up by 27%. SecurityScorecard and Dark Owl also observed a sharp increase in chatter pertaining to telehealth apps and credentials on Dark Web markets and hacker forums. For example, mentions of names of telehealth vendors and products such as Teladoc, CareClix, and MeMD jumped noticeably after the pandemic began. They also noticed malicious code being shared in March via criminal forums that would allow attackers to collect patient identity and prescription information for telehealth systems. According to the researchers, the malware is likely being used presently to harvest patient data. In another instance, they discovered a hacker providing specifics on how to compromise a medical imaging system so X-rays and other medical images could be downloaded, altered, or sold. "Healthcare organizations need to fully and completely vet the telehealth vendors they integrate with their systems," Heid says. "As with any third-party vendor, their security risks become your security risks." The new cyber-risks within the healthcare sector since the COVID-19 outbreak started is by no means unique. Security vendors have reported similarly heightened risks across almost every other sector. Attackers trying to take advantage of the sudden shift to remote work have been hammering away at weaknesses in home networks and devices, videoconferencing and remote collaboration tools, virtual private networks, and other network equipment. Government organizations, educational institutions, and healthcare organizations have proved to be especially popular targets for ransomware, distributed denial-of-service attacks, and account takeovers. "We were surprised to find that, prior to the pandemic, the healthcare industry had improved its overall cybersecurity posture since our report last year." Heid says. "However, the mass adoption of telehealth applications has introduced new digital surface areas, which in turn introduce new risks." Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.c4isrnet.com/battlefield-tech/space/2020/09/04/white-house-issues-new-cybersecurity-policy-for-space-systems/ By Nathan Strout 9/4/20 The National Space Council issued new cybersecurity principles to help defend America’s space systems Sept. 4. According to the White House, Space Policy Directive-5, or SPD-5, will foster practices within the government and commercial space operations to protect space systems from cyberthreats. “From communications to weather monitoring, Americans rely on capabilities provided by space systems in everyday life. President [Donald] Trump’s directive ensures the U.S. Government promotes practices to protect American space systems and capabilities from cyber vulnerabilities and malicious threats,” Deputy Assistant to the President and Executive Secretary of the National Space Council Scott Pac said in a statement. “Through establishing cybersecurity principles for space systems, Space Policy Directive-5 provides a whole-of-government framework to safeguard space assets and critical infrastructure.”

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.infosecurity-magazine.com/news/critical-bugs-enable-ot-supply/ By Phil Muncaster 9/9/20 “Security researchers have discovered six critical vulnerabilities in third-party code which could expose countless operational technology (OT) environments to remote code execution attacks.” “Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the US Cybersecurity and Infrastructure Security Agency (CISA) noted.” “Attackers could phish their targets, socially engineering them into visiting a malicious site under their control to inject a malicious license onto the victim machine. Or they could exploit one of the bugs to create and inject forged licenses onto a machine running CodeMeter, Claroty said.”

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://threatpost.com/spyware-labeled-tiktok-pro-exploits-fears-of-us-ban/159050/ By Elizabeth Montalbano 9/9/20 “Researchers have discovered a new Android spyware campaign pushing a “Pro” version of the TikTok app that is exploiting fears among its young and gullible users that the popular social media app is on the cusp of being banned in the United States. The malware can take over basic device functions—such as capturing photos, reading and sending SMS messages, making calls and launching apps—as well as uses a phishing tactic to steal victims’ Facebook credentials.” “The rogue app called TikTok Pro is being promoted by threat actors using a variant of a campaign already making the rounds, which urges users via SMS and WhatsApp messages to download the latest version of TikTok from a specific web address, said Zscaler senior security researcher Shivang Desai, in a report published 8 September.”

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://heimdalsecurity.com/blog/baltimore-ransomware/?utm_medium=email&_hsmi=94871936&_hsenc=p2ANqtz-8bfE16LtUAM8jCoJXvguGFMILPYSaycrTV70sLvJMMgiq1aJ_PubditwliNduhDYsl5vS3Girg8-9ix-8KuAfTI4i1uw&utm_content=94871936&utm_source=hs_email By ALINA GEORGIANA PETCU 9/8/20 “Nowadays, cybercriminals are becoming increasingly hooked on big game hunting. Public institutions ranging from educational facilities to governmental agencies seem to be their favorite targets. One of the most notable instances of the latter in recent history was the Baltimore ransomware attack.” “Even though the attack took place in May 2019, there is a lot still to be learned from the Baltimore ransomware case today. In this article, I will present a timeline of the events that unfolded in the wake of the infection, as well as answer the most pressing question in any situation like this: did Baltimore city pay the ransom? Plus, if you want to learn how to prevent a ransomware attack in your institution, keep on reading. I’ll get into that as well.”

By Derek Harp August 2019 Security Culture is something I am giving a lot of thought to these days.  After two decades of contributing to more technical efforts to increase cybersecurity, it is clear that we are still so incredibly vulnerable to our individual behaviors. From the kings to the cooks in our castles we still give so much away freely.  One might argue that if we don’t fix that it doesn’t matter what we spend on cybersecurity technology. Our Security Culture collectively does not get a good score and we are beholden to our common denominator, team members. A new norm where people routinely don’t trust other connections, messages, connectivity and make isolated exceptions vs continually accepting everything everywhere at face value is the shift we all need to make. It’s a paradigm shift that calls for us as human beings to change fundamentally how we relate with connected technology.   The origin of this infrastructure springs from research projects connecting trusted technology, but that is not where we find ourselves today at all. I won’t claim to have all the answers but, rather, ask the question “What can we {all of us} and CS2AI, as an organization, do to increase “buy-in” regarding the necessity to raise all of our cyber behaviors to a new level?"

By Derek Harp November, 2019 It is easy for our daily workloads, our meetings, emails and phone calls to become routine.  We start to focus on tasks and neglect to view the big picture or to even look around.  We don’t "smell the roses," and make sure to include re-energizing activities in our life.  Don't get me wrong - as an entrepreneur, creating and developing organizations is what I love doing, so much so that it might be less a career choice and more a calling, but we all periodically need to get some distance from the tactical aspects of what we're doing. For me, the SecurityWeek ICS Cyber Security Conference in Atlanta last month was just the thing I needed. I dropped out of nearly all of my regular routines to stay present, in the moment, at the conference. In addition to the privilege of being able to speak in two general sessions and attending some great workshops, (CS)²AI Co-Founder Bengt Gregory-Brown and I staffed a (CS)²AI booth at the event.   That was the first time (CS)²AI has done that.  As a non-profit organization we didn't have the glamourous tchotchkes that all the vendors did (though we did have a book from one of our partners to give out - thanks Waterfall!) but a steady stream of people still came up to talk with us at all times every day.  Some were already familiar with (CS)²AI, some already members looking to find out more about what the global organization does beyond their local chapters, and some were companies who wanted to get involved as a partner.  Others didn't know much about us yet and were eager to learn more, plainly stating that this is just what they needed to help them and their teams and asking how to get chapters started in their home areas. I talked to a lot of ICS security professionals, telling the story of how (CS)²AI came to be what it is today and sharing the vision of where we see this “members working for members” organization going in the future.  Sharing things I find exciting never fails to rev me up, and this was no exception.  On top of that, though, I did a lot of listening.  People told me about their situations, their work environments, the ICS security challenges they were dealing with, and their sense that, prior to meeting us at the conference, they were alone, the only ones dealing with these problems.  Every conversation just reaffirmed to me how critically important our mission of uniting peers in the industry was and continues to be. One aspect of being an entrepreneur is that I always have routine work to get done, and that can compete with allocating time to passion projects like (CS)²AI.  Among all of the things I took away from my week at the conference, the interaction with colleagues who see the importance of this work as clearly as I do may be the most meaningful.  As we are about to start the Thanksgiving holiday here in the United States next week, I am thankful for all the volunteers locally and globally that make (CS)²AI what it is today.

By: Derek Harp May, 2020 The Covid-19 Treadmill The last 60 days have been quite an experience to say the least.  I find I really don’t feel I am in a position to complain when I know that so many more are experiencing real pain and permanent loss.  My heart is heavy on some days for that. As I was taking one of my daily “walk & talks” that I have done during COVID-19 (150+ miles in April!), I found myself answering the question “how are you?” with the statement “I feel like I am riding a unicycle on a treadmill”.  Once I got home, I thought of a few more elements to add to the comic but for me this image sums up some significant themes of trying to balance, work, socialize virtually, learn, exercise, homeschool and just cope!  In truth, ole Yellowshirt here appears a bit more negative than I do most days.  In fact, I and my family have worked hard to find things to celebrate and be positive about and I hope you are finding those too. It seems that with all that, cybersecurity might take a real backseat to other priorities.  But we know that must not be the case.  It is more important than ever to NOT let your guard down now. COVID-19 themed hacker tactics and techniques are being used widely.  I recently had the opportunity to talk with a few CS2AI advisors and members about this and have included a video with some of their comments in this issue. Keep safe, keep healthy, and keep vigilant, Derek