Wednesday, December 26, 2012

Wednesday, December 12, 2012

Cyber Security: Why don't computer users take passwords seriously?

This article highlights interesting facts about password usage and describes how many people fail to take these security measures seriously.

Why don't computer users take passwords seriously? - Topix

Tuesday, December 11, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of December 3

Click the link below to view the summary of cyber security vulnerabilities for the week of December 3 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-345.html


Thursday, December 6, 2012

Cyber Security: The 12 scams of Christmas

Internet shopping will reach its peak this season with 70% of people planning to shop online and 1 in 4 shoppers using mobile devices. Read about the most dangerous internet scams by clicking the link below.

12 scams of Christmas

Wednesday, December 5, 2012

Cyber Security Advisor Newsletter – Nov. 2012 vol. 14

I’m sure you’ve heard the saying "When it rains, it pours," meaning when things go wrong, they REALLY go wrong.    With the floods in Northeastern US, Northern California and  the flash flooding in the UK, I think we’ve had our share of weather.    I’m starting to get flooded now in a different way, as I’m sure you are too, with news about the latest attacks in our industry and against our clients.  I hope this message is not finding you or your organization too unprepared.

This month in Volume 14, with the rising popularity of Bring Your Own Device (BYOD), we thought it was appropriate to discuss this up and coming activity.

As we continue our efforts to educate  on the need to address cyber security, the details that rise to the top are consistent.      All successful Security Solutions are part of an overall program that addresses who will manage, maintain, and upgrade the solution for its lifetime.   We find too many firewalls that no one has looked at since it was installed or so many holes are punched through it, you might as well not have it in place.    The message is, consider what the needs are, develop a program, THEN determine the technical controls.    I know the geek in all of us makes us want to jump to the technology first.
                                                                                                  


Click here for this months issue.

Monday, December 3, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of November 26


Click the link below to view the summary of cyber security vulnerabilities for the week of November 26 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-338.html


Tuesday, November 27, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of November 19

Click the link below to view the summary of cyber security vulnerabilities for the week of November 19 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-331.html


Cyber Security: The importance of updating your browser

Almost 25% of browsers currently in use are out of date. Read why it's important to keep your browser patched to the latest version.

Out-of-date, vulnerable browsers put users at risk

Monday, November 26, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of November 12

Click the link below to view the summary of cyber security vulnerabilities for the week of November 12 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-324.html

Thursday, November 22, 2012

Thursday, November 15, 2012

Cyber Security: The phish are always biting

Although the uptimes of phishing attacks have decreased slightly, hackers are hosting more and more phishing websites.

Phishing websites proliferate at record speed

Tuesday, November 13, 2012

Cyber Security: Has your HPI vendor addressed cyber security?

Read how HPI companies are addressing cyber security at their operating facilities.

http://www.hydrocarbonprocessing.com/IssueArticle/3110153/Archive/Industry-Perspectives.html

“Cyber security solutions are most effective when the supplier and user share responsibility. Users should seek a vendor who not only helps them implement various degrees of control network protection and fully manage their security functionality 24/7, but one that actively works with government entities, like the DOE Energy Roadmap, industry-specific programs, like NERC, Critical Infrastructure Protection (CIP), and other standards bodies, such as the International Society of Automation (ISA,) to develop new standards. This level of involvement allows the vendor to validate and adopt advanced cyber-security techniques and solutions that keep the user more secure, but more importantly, more vigilant.”

—Doug Clifton, Director, Critical Infrastructure and Security Practice, Invensys Operations Management


Cyber Security: Low cost wireless security breach - Jawbreaker

Jawbreaker, a "software-defined radio," could give hackers of all skill levels a chance to hone their skills.

HackRF Jawbreaker Could Bring Low-Cost Wireless Hacking to the Masses

Monday, November 12, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of November 5

Click the link below to view the summary of cyber security vulnerabilities for the week of November 5 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-317.html

Tuesday, November 6, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of October 29

Click the link below to view the summary of cyber security vulnerabilities for the week of October 29 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-310.html




Cyber Security: History repeats itself - will we ever learn?

Early cyber events in the late 1990s perpetuated a security revolution, but as new technologies emerge, we find ourselves back where we started.



Friday, November 2, 2012

Cyber Security Advisor Newsetter - October 2012 vol 13


This month, with the rising popularity of Social Media, we thought it was appropriate to discuss some NEW attack vectors out there. Also, don't forget our Consultant's Corner. Steve Batson, Principal Consultant-Critical Infrastructure & Security Practice, talks about Cyber Security and staying ahead of the curve in the Nuclear industry.

As we continue our efforts to educate  on the need to address cyber security, the details that rise to the top are consistent. All successful Security Solutions are part of an overall program that addresses who will manage, maintain and upgrade the solution for its life time.   We find too many firewalls installed that no one has looked at since it was installed or so many holes are punched through it, you might as well not have it in place. The message is, consider what the needs are, develop a program, THEN determine the technical controls.  I know the geek in all of us makes us want to jump to the technology first.



Click here for this months newsleter

Thursday, November 1, 2012

Wednesday, October 31, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of October 22

Click the link below to view the summary of cyber security vulnerabilities for the week of October 22 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-303.html


Tuesday, October 30, 2012

Cyber Security: How secure is your digital life?

You may be sharing more personal information online than you think you are. Read this article for tips on how to better protect yourself online and avoid identity theft or remote data wipes.

http://www.pcworld.com/article/2010300/just-how-hackable-is-your-digital-life.html


Thursday, October 25, 2012

Cyber Security: The hacker ate my homework - 100 colleges hacked

Education websites all over the world are being hacked. View the list of affected universities and read the note written by the leader of the hacking group responsible, TeamGhostShell.

100 Education hacked, thousands of accounts leaked by @TeamGhostShell


Tuesday, October 23, 2012

Cyber Security: Virgin Mobile customers in danger of being hacked

Virgin Mobile's password policy requires users to select a 6-digit numerical password. Read about the major security concerns and how it would only take hackers 1 million guesses to take over your cellular account.

http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/

Thursday, October 18, 2012

Cyber Security: What You Don't Know Can Hurt You

The number of mobile malware instances has increased from 14,000 to 40,000 in less than a year, mostly due to lack of cyber security awareness among consumers.

Infosecurity - Mobile malware up 185% amid a lack of consumer awareness


Tuesday, October 16, 2012

Cyber Security: Historic DDoS attacks against U.S. banks continue

PNC, out of Pittsburgh, joins Wells Fargo, J.P. Morgan Chase & Co. and Bank of America on a list of banks taken offline reportedly by a group who claimed responsibilities for the attacks as retaliation for the portrayal of Muslims in “Innocence of Muslims,” a series of movie trailers uploaded to YouTube.

http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-banks-continue-092712

Monday, October 15, 2012

Attend the free webinar on “Cyber Security: A Catalyst for Modernization”

Attend the free webinar on “Cyber Security: A Catalyst for Modernization”
Learn from our experts on what the impact and role Cyber Security is playing within a plant’s operational processes and business requirements.
Date: October 24, 2012, at 10 AM Eastern or 5 PM Pacific

Register Here

Thursday, October 11, 2012

Cyber Security: ICS-CERT Vulnerability Summary for Week of October 1

Click the link below to view the summary of cyber security vulnerabilities for the week of October 1 as collected and reported by ICS-CERT.

http://www.us-cert.gov/cas/bulletins/SB12-282.html

Cyber Security: September 2012 ICS-CERT Monthly Monitor

View ICS-CERT's September 2012 newsletter, with a feature article on the Shamoon virus.

http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Sep2012.pdf


Cyber Security: FERC Opens Cyber Security Office

A new FERC office, Office of Energy Infrastructure Security (OEIS), will focus on potential cyber and physical security risks to energy facilities under its jurisdiction.

Cybersecurity malware hackers computer viruses | Homeland Security News Wire



Monday, October 8, 2012

Cyber Security Advisor Newsletter - Sept 2012 vol 12


Greetings,    Our 12th volume…..   It’s hard to believe that it’s been a year since we launched the 'Cyber Security Advisor'  to help get the message out.
We have had lots of inquiries to help our clients with their cyber requirements.    This past month, there has been no shortage of these requests.     This month’s newsletter focuses on some of these recent attacks and provides you some stories about what’s going on out there.     We know that installing firewalls just does not cut it anymore….or did it ever?    We know that comprehensive programs that support strong patching, logging, access controls and network management and monitoring is a must.
Don’t miss this month Consultant's Corner piece by Bill Owen.  He’s offering some perspective on Incident Response.




Click here for this months issue

Wednesday, October 3, 2012

Cyber Security: Can a password ever be fully secure?

Charles Smith, Invensys Critical Infrastructure & Security Practice consultant, gives tips on how to create strong passwords.



Is your password really secure? As recent news articles have shown, it probably isn’t. Just over the last few months, LinkedIn, Yahoo, Blizzard Games, and others have been hacked and customer passwords stolen. Last year, Sony’s Playstation Network was hacked and not only were passwords captured, but also other personal customer information.

What can be the impact of having your personal information stolen? Many hacker groups are no longer concerned about capturing passwords and instead thrive on personal information. They use this information to perform a "social engineering" attack on people by impersonating someone from a company the victim does business with. They are usually prepared with some information they have already stolen to convince victims that they are legit, and then they will attempt to gather more information such as a credit card number, social security number, or something like a "secret question answer." This allows them to access private accounts and recover or change passwords. They can use this information to wreak havoc on people’s online lives just as if they had originally stolen someone’s password.

What can you do to protect yourself if a vendor does not adequately protect your personal information? There are three things you can do:
  1. Use complex, yet easy-to-remember passwords, as Tom Jackson stated in Issue 8 of the Cyber Advisor (May 2012).
  2. Do not link your online accounts together. Sites such as Yahoo now allow you to sign in using your Facebook username and password. While it may be tempting to link accounts to reduce the number of passwords to remember, if one account gets hacked, then all of your accounts can get hacked. If you must link accounts, only link non-secure accounts together. For example, you might link two social media accounts as long as they aren’t linked to your email or an account with credit card information (like eBay or Amazon).
  3. Use two-factor authentication. Two-factor authentication is where you use "something you know" and "something you have" to log in to your account. If you work for a large company and have VPN access, then you may already be using two-factor authentication if you have a key fob in addition to your network password.
Yahoo now offers the option of having a code sent via text message to your cell phone to access your account. You use this feature by entering your username and password online, and then Yahoo will send a code to your cell phone that must be entered before you can access your account. In this case, even if a hacker has stolen your password, they cannot access your account unless they have physically stolen your cell phone as well. Two-factor authentication isn’t offered by every online service yet, but it is gaining popularity. Click here for more information on two-factor authentication.

If you follow the three key points above, then your information will be much more
secure in today’s online world.

Tuesday, October 2, 2012

National Cyber Security Awareness Month


October is National Cyber Security Awareness Month and the Department of Homeland Security and National Cyber Security Alliance encourage all computer users to be safe and secure online with tips and weekly themes throughout the month. This year’s weekly themes are:

Week 1: Stop. Think. Connect.
Week 2: Law Enforcement and Cyber Security
Week 3: Industry Efforts in Cyber Security
Week 4: K-Life: Digital Literacy Efforts

For tips on what you can do to stay safe online, visit http://stopthinkconnect.org/tips-and-advice/

http://www.staysafeonline.org



Monday, October 1, 2012

Cyber Security: White House confirms spearphishing intrusion

Hackers with ties to China's government have successfully targeted the White House in a spearphishing attack aimed at one of its internal computer networks, reportedly a military office in charge of the president's communications.




Wednesday, September 26, 2012

Cyber Security: Brain hacking? Not as impossible as you might think

New technology suggests that hackers could potentially steal information right from your mind using brain computer interfaces (BCIs) or neuro-headsets that send signals emitted over Bluetooth devices. Early studies show that these signals can reveal private information such as birth month, PIN numbers, bank names, and acquaintances, which increase the chances of hackers correctly guessing your passwords.


Wednesday, September 19, 2012

Cyber Security: No device is safe from hackers

With more than 90 million types of malware now on the rise, PCs are not the only devices in danger of being hacked. Smartphones, social media accounts, and other websites have become major targets for cybercrime, whether hackers are infecting your device through web site visits or virtually taking control of your smartphone and holding it for ransom in exchange for money.



Wednesday, September 12, 2012

Cyber Security: Does Cybercrime cost $1 Trillion?

Does cybercrime really cost $1 trillion?  According to some Washington thinktanks who just poured over the research, the answer may stun you....YES!  What may stun you even more is that number might even be low.

http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion


Tuesday, September 4, 2012

Cyber Security Advisor Newsletter - Aug 2012 vol 11

This past month, cyber attacks on industrial companies were common news reports.    There has been significant damage to companies’ IT networks and infrastructure.  I’ve seen postings of their router/firewall passwords….even their CEO’s email password. We will soon see a full court press from  all sorts of IT vendors selling  their latest security innovation or products.  Buying the latest firewall might make them feel more secure, but unless it’s part of a larger program, I’m afraid they are no better off.  And let’s face it, while these vendors think they are doing the right thing, they don’t really understand the environments or safety risks our clients are challenged with daily. 

We see the need to assist our clients and are prepared to suggest a planned approach that covers a defense-in-depth model with supporting practices of Incident Response, Disaster Recovery, System Monitoring, among others.  The Invensys Critical Infrastructure and Security Practice (CISP) has the skills and the resources to help our clients no matter what industry they are in. We understand that a comprehensive cyber security program is so much more than firewalls and anti-virus. Invensys CISP is structured to help with the entire cyber security program.

Wednesday, August 29, 2012

Wednesday, August 22, 2012

Cyber Security: Your webpage may be the front door for hackers

An interesting article on eWeek.com about data compiled by Impervia found that the typical web application will be targeted with high-volume attacks and that SQL-injection attacks are the most common. This data is very important to note since a company’s web applications are attacked almost 120 days of the year.


Thursday, August 16, 2012

Cyber Security: Apple and Amazon change policies

We have all read articles about companies getting hacked and having customer information stolen, or read statistics about how many PCs are infected with malware and viruses from hackers.  Here is a story about David and Goliath that made change happen:


Tuesday, August 7, 2012

Cyber Security: I've Been Hacked

Unfortunately getting hacked is all too common these days. This article recounts what a writer went through when he was targeted by a hacker group.

What Getting Hacked Feels Like - Technology - The Atlantic Wire

Thursday, August 2, 2012

Cyber Security Advisor Newsletter - July 2012 vol 10

The July 2012 Volume 10 of the Invensys Critical Infrastructure and Security Practice (CISP) newsletter is a focus on NERC CIP information.    It’s important that power plants and utilities understand how this one standard impacts them.  We believe the trends and best practices that can be taken from a solid NERC CIP compliance program helps all our clients.     

The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help you or your clients no matter what industry.    Cyber security is so much more than Firewalls and Antivirus.   We can help cut through the Fear, Uncertainty, and Doubt (FUD).   We are structured to help you with your entire Cyber Security program.



Click here for this months newsletter

Friday, July 27, 2012

Cyber Security: Homes of the future are vulnerable to cyber attacks

Black Hat 2012 has been in Las Vegas all this week (7/21-26). There are always fascinating stories about cyber security that come out at the show, like this one from Click Orlando about how vulnerable homes of the future will be:


With every home on the smart grid, every home with multiple PCs, the ubiquitous smart phone and wireless tablets, the attack vectors would seem endless.  As technology advances, there is a heightened need for cyber security to combat the imminent consequences.


Monday, July 23, 2012

Cyber Security: AWWA - Water Treatment - Update

AWWA ACE12 — Dallas, TX June 10-13, 2012

The AWWA annual conference for 2012 has come and gone.  It was a great conference in many respects this year:  It was held in my home state of Texas, it was the first year we had a cyber security presence in our booth, I participated in my first standards committee meeting as a voting member, and we started reviewing the ANSI/AWWA G430 “Security Practices for Operation and Management” standard. 

Cyber security and water are two words I would have never thought would appear in the same sentence, given my background in process controls and the many times I’ve been at some remote well site with nothing but a chain link fence and a pad lock between me and the PLC (which I could access wirelessly) that operated the site.  Then, on that fateful day of September 11, 2001, everything changed.  Homeland Security Presidential Directive-7 identified the “Critical Infrastructure and key resources which provide the essential services that underpin American society.”  One of the eighteen was drinking water and waste water treatment systems.  In response, the Water Sector Coordinating Council Cyber Security Working Group (sponsored by American Water Works Association and the Department of Homeland Security) released the “Roadmap to Secure Control Systems in the Water Sector” in March 2008.  This document captured many findings and recommendations and is one of the driving factors behind the development of the ANSI/AWWA G430 standard. In my opinion, we are still in the phase of educating the industry about cyber security, its value, and the potential consequences of ignoring it. 

As late as last year (coincidently over the September 11th weekend) at the 2011 Water Security and Emergency Preparedness Conference in Nashville, TN, I saw hardly any cyber security representation.  Security was still identified as fences, locks, cameras, contamination monitoring—anything to physically keep the bad guys out.  There was little attention paid to that PLC behind the fence that was now directly accessible from the internet.  I’m glad to say that I think things are definitely changing.  I’ve had several opportunities to speak at regional AWWA/WEF events about cyber security and I managed to volunteer for the standards committee. Enquiries from water and wastewater clients are increasingly concerned about cyber security.  This year is looking bright; we just finished up the AWWA annual conference, the standard draft is making its rounds, I’ve had conversations with high-level members of AWWA saying that cyber security is a major initiative, and I’m on the schedule to present at the 2012 Water Security and Emergency Preparedness Conference “Best Practices in SCADA Cyber Security.” 

I look forward to seeing all of you in St. Louis, MO September 9-12, 2012.



Michael Martinez
Principal, Critical Infrastructure & Security Practice
Invensys


Tuesday, July 17, 2012

Cyber Security Advisor Newsletter - June 2012 vol 9

Volume 9 of the Invensys Critical Infrastructure and Security Practice (CISP) newsletter focuses on "Compliance vs. Cyber Security"

We have conversations about compliance with our clients on a regular basis.    There is typically some confusion what compliance means when it involves cyber security.    The discussion focuses a lot on what needs to be done to comply.    This edition covers some of the aspects for compliance programs and how they relate to Cyber Security.   Compliance is not always Regulatory,  compliance could be against internal requirements.

The Critical Infrastructure and Security Practice has the skills and the resources to help your clients no matter what industry.    Cyber security is so much more than Firewalls and Antivirus.   We are structured to help you with your entire Cyber Security program.


Click here for this months issue

Monday, July 2, 2012

Cyber Security: Hacking Drones, Students Play

On a dare (and a $1,000 wager) Texas college research students hacked into and hijacked a US Department of Homeland Security (DHS) drone using a technique called ‘spoofing’. The good news was it was an experiment put on for the DHS.  Definitely a teachable moment.  

Students hijack US drone for $1,000 wager - Indian Express