CYBER NEWS TIDBITS 4 U APRIL 2014

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

+++   SD/SoCAL items of interest / opportunities
+++   Likely KEY news you can use (might be impactful in some way)
+++   Other items of  FYI /FYSA level interest (skim as you have time, or the topic suits you (efficiencies, ways to do business, etc)
+++   Threats / bad news stuff / etc.

Ciao

Mike

Cyber security is serious business for us all – so ACT accordingly!

http://www.linkedin.com/in/mikedavissd

—————————————————————————–

Heartbleed1OK…  an update on the subject of…. Heartbleed…

 

…A few who like to skim my cyber news grams early on, already asked about Heartbleed, and if was there a bigger picture too – YES there is  – so I enclosed a focused dialogue below on just that perspective…

 

YES, it’s a tad long email…  but what if you could have a process / capability RIGHT NOW that made this SSL flaw heartache a relative  ‘don’t care’  in data protection – as well as work for other structural flaws yet to be discovered… would you read a little further…..;-))

 

AND  for those of you who think you know this vulnerability well, have it patched already, or the latest version installed, new certs deployed… okay, good for now – but guess again,

This SSL problem is but the first of many more threats, as we WILL have more systemic security flaws come up next, where’s nothing special about Heartbleed. It’s another flaw in a popular library of modules that can expose a lot of servers / services to attack. The danger lies in the way software libraries are built and whether they can be trusted, including the proliferation of APIs needed for “IoT!”   

 

Again, Heartbleed is only the tip of the iceberg, where MANY more structural flaws are in the works to be discovered, just as we deal with zero-day flaws on apps, NOW the infrastructure components vulnerabilities will become more apparent too.

For a reference there, read the article I enclosed in the tidbit below, where Corey shows how to use a little “security by obscurity” to make the hacker’s job much harder with common modules / calls…  Also there is another article just today where the hacker groups talk  about ALL the other infrastructure things we need to protect against… WEstrongly concur

http://www.ibtimes.com/hackers-warn-about-future-threats-how-guard-against-next-heartbleed-1573074

Worried about NSA snooping?  Well, everyone does it… they “say” it’s for analytics and to offer you better services, products, etc.. yea right… As you know, ALL browsers and web sites track your info…  Hence why our ‘privacy by design’ approach is so critical, and needed everywhere, not ‘just’ protecting the key PII, personal data, but that and much more…  see what Goggle openly admits…

http://thehackernews.com/2014/04/google-admits-that-it-reads-your-emails.html?m=1

THUS we suggest you LIVE the data centric security (DCS) approach as a cyber model!

 

In short, this SSL flaw may / should be be the 9/11 wake up call to what we generally thought (hoped?) was a secure enough security infrastructure … and it is NOT…;-((

 

——————————

 

+++  So, what is the real issue then, what is a way forward that we implement right NOW and how can I back that assertion up?..   I thinned down and highlighted my tidbits notes in “”RED””  that apply.. below.. (hopefully the color comes through, anyway, all the below articles / points are relevant)

 

A – We should start at the top, what our collective overall cyber requirements are, what should our collective cyber vision / goal be? we submit one here that is a lofty one, but obtainable now:

 To collaboratively develop a common, overarching cyber model that allows us to provide and implement a common homogeneous security posture, providing an ‘adequate’ level of business risk minimization, in a shared vulnerabilities environment with heterogeneous components and uneven trust…   AND all while supporting the increased demands / needs for privacy protection at various levels…

 

This IS doable to a great extent.. NOW..… Review our ‘privacy by design (PbD) ‘ cyber model news tidbit below… which is based on data centric security (DCS) principles… ALSO see the great post by Crypteron one of our PbD cyber model key capabilities, who makes superb DCS capabilities… check them out for yourself!

http://crypteron.com/Heartbleed_Vulnerability

 

 

B  – So what is the KEY issue – We submit that we cannot assume any part of the infrastructure is trusted, especially those capabilities we do not own (yet we know that lack of cyber hygiene statistics says our own gear is used against us now, to see those facts, see the last 2 slides in our PbD cyber model brief)

Thus we must design our systems on consequence based risk management, not just chasing threats, which are elusive. In this case of SSL flaws (where this approach works with ANY protocol / library module) we propose two relatively easy measures to employ that will vastly reduce your overall risk exposure NOW!

 

(1) Take a data-centric security (DCS) approach, encapsulate and protect the data and controls (apps / protocols) at the source (ala, object oriented programming  (OOP) methods – encapsulate and abstract..). 

As noted earlier, we are finalizing a cyber model for ‘Privacy by Design (PbD)” that has at its core DCS and the inoculating effect it has on reducing the threat vectors of the layers below that (or in ‘cloud speak’ a PaaS model).  Essentially our PbD cyber model is just finessing and integrating the principles and  cyber capabilities in the DCS and defense-in-depth approach we already know well, where our notional cyber model will tie all capabilities in / harmonize  them (yes, that is possible) !!!  KEY slides on our cyber model to this point, then become slide 16 (taking a “PaaS” security model on apps & data protection), slides 19& 20 for the data services to ensure are secure, 24 that shows the cyber “OOP” approach, where we encapsulate the data, controls, and code (just like OOP does for abstraction but we do the same thing for security (including crypto binding the key C2 aspects) …  and slide 31, the proposed cyber model to do all that (which, btw, is only a placeholder for the moment)

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design_draft.pdf

 

 

(2) Tailor / tweak  / implement the standard libraries, procedure calls, etc in different ways on site / premise, thus the bad guys can’t automate bots that work everywhere (aka, APTs)… E.g., a little smart application of targeted ‘security by obscurity” goes a long way, easy to do too…  for that aspect I think Corey is right on in his article on simple things to do to make it easy to automate attacks at:

http://www.darkreading.com/risk/how-a-little-obscurity-can-bolster-security/d/d-id/1204452?_mc=RSS_DR_EDT&cid=NL_DR_Daily&elq=%3Cspan+class%3Deloquaemail%3Erecipientid%3C%2Fspan%3E&elq=0695cc9a730845ed99c16ac884cecbdb&elqCampaignId=2349

 

 SO… good on you IF you read this far, so you DO care about the most effective way to DO cyber… AND of course the main objective, reducing business risks and minimizing third party liabilities, especially those 3rd party law suits due to data breaches – which are a huge revenue black hole…;-((

 

So while we are still finalizing our cyber model picture / illustration (slide 31), trust me a little when I say we have the key technology to DO what we propose in our PbD cyber model and do that right NOW…;-))

Heartbleed1

 

 

——————

Cyber team mates:

 

Another weekly security news gram…  (I’ve been swamped,  so it’s been a few weeks..…)

 

+++  Likely news you can use…

 

Our  SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop went very well.. 70+ attendees.

The 5 briefs and 12 product overviews were very germane to what is needed now in cyber. Especially 2 security focused mobile apps,ObjectSecurity (policy security), Crypteron (data security) and TrustWand (SCM / CDM / SIEM) – GREAT cyber stuff!!  There are likely several capabilities and companies you can leverage and team with.

http://www.sciap.org/blog1/?page_id=1554

 

 

– Our next IEEE Cyber  SIG Theme is “Privacy by Design (PbD)” –Where we’ll provide a cyber functional model that enables PbD using data-centric security (DCS)...    and it’s already well in work, so we’ll move this topic forward quickly.   YET,  essentially it is just finessing the principles and  cyber capabilities in the DCS and defense-in-depth approach we already know well, where the notional cyber model will tie all capabilities in / harmonize  them (yes, that is possible) !!! I…   Our “PRE-DRAFT” PbD cyber model slides are at: (best to copy and paste link):

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design_draft.pdf

 

+ Heartbleed – you have heard enough.. BUT several good links  in the threat section at the end..

 

+ There’s nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

How A Little Obscurity Can Bolster Security

http://www.darkreading.com/risk/how-a-little-obscurity-can-bolster-security/d/d-id/1204452?_mc=RSS_DR_EDT&cid=NL_DR_Daily&elq=%3Cspan+class%3Deloquaemail%3Erecipientid%3C%2Fspan%3E&elq=0695cc9a730845ed99c16ac884cecbdb&elqCampaignId=2349

Most security professionals deride the idea of “security by obscurity.” Is it time to re-evaluate the conventional wisdom?

 

 

 

 

 

+++  FYI / FYSA  Items of interest…

  

+   Who’s Spying on Your Company?

You’re aware of the threats of malware to your business but what about the ever-changing ground rules?  Cybercriminals today are launchingattacks against businesses by copying sophisticated malware and techniques used to target governments and high-profile organizations.

Don’t get caught in the crossfire.  Read this special report “Who’s spying on you?” from Kaspersky Lab, covering the techniques cyber criminals use, common exploited vulnerabilities, collateral damage from cyber espionage, and how to protect your business from cyber spies.

http://www.findwhitepapers.com/force-download.php?id=33829

 

 

Four Great Tips: Cloud Security for Big Data | Cloud

http://cloudcomputing.sys-con.com/node/3044886

1.  Encrypt sensitive data (seriously)

2. Look for cloud security solutions that can architecturally scale

3. Automate as much as possible

4. Do not compromise on data security

 

+  SEC defends email privacy practices

The Securities and Exchange Commission (SEC) on Tuesday defended its practice of obtaining emails older than 180 days without a warrant. SEC Chairwoman Mary Jo White told the House Appropriations subcommittee on financial services that her agency protects people’s privacy when it uses subpoenas — rather than warrants, which have a higher burden of proof — to access emails. Under the Electronic Privacy Communications Act, law enforcement officials do not need a warrant to access electronic communications that have been stored for more than three months. Attempts to update that law — including from Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Reps. Kevin Yoder (R-Kan.), Tom Graves (R-Ga.) and Jared Polis (D-Colo.) — have been largely supported by law enforcement agencies but have faced backlash from civil agencies, like the SEC.

http://thehill.com/blogs/hillicon-valley/technology/202429-sec-defends-email-privacy-practices

 

  

+++  THREATs  / bad news stuff / etc…

 

 

+ 7 Professions Hackers Are More Likely to Target    

Corporations and IT Departments face a new, dangerous reality: Weaponized malware and advanced persistent threats, or APTs, have emerged as real perils. Yet many security pros believe these threats pose no danger to their organizations. The notion that weaponized malware and APTs are used to target governments or specific industries is wrong. The reality is these tactics WILL BE USED against virtually any organization, large or small, in any industry.  See PAPER at:

https://subscriber.emediausa.com/FM/GetFile.aspx?id=41157

 

 

+  Heartbleed Facts: Vulnerability Discovery, Mitigation Continue GOOD overall article..

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/11-heartbleed-facts-vulnerability-discovery-mitigation-continue/d/d-id/1204536?_mc=RSS_DR_EDT&cid=NL_DR_Daily&elq=%3Cspan+class%3Deloquaemail%3Erecipientid%3C%2Fspan%3E&elq=79c3afd4c5fa42eb888189bdf5af3c55&elqCampaignId=2415

 

+ Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab

The Heartbleed Bug disclosed by the OpenSSL group on April 7 has sent many vendors scurrying to patch their products and that includes security firms Symantec, Intel Security’s McAfee division, and Kaspersky Lab. Heartbleed is basically a buffer-overflow vulnerability in the flawed versions of OpenSSL that would allow savvy attackers to steal data such as passwords or digital certificates. A German software engineer has admitted to unwittingly inserting the Heartbleed Bug vulnerability two years ago in OpenSSL, and it now has a significant portion of the high-tech industry patching servers, client software, network gear and security products. In investigating their own product lines in recent days, Symantec, McAfee and Kaspersky Lab, among others, have been busy de-bugging the Heartbleed Bug out of their products. The process of  investigating the impact of Heartbleed is still ongoing and in some cases, patches for products seen as vulnerable are still to be released.

http://www.networkworld.com/news/2014/041514-heartbleed-bug-irritating-280721.html

 

 

AND

 

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

 

http://bits.blogs.nytimes.com/2014/04/09/qa-on-heartbleed-a-flaw-missed-by-the-masses/?_php=true&_type=blogs&cid=146325&ctst=1&_r=0

 

http://mashable.com/2014/04/09/heartbleed-nightmare/?utm_cid=mash-com-fb-main-link

Comments are closed.