One month after Neiman Marcus was struck by a massive credit card hack, a
new report published by Businessweek sheds more light into the breach. Click here for the article.
Cyber Security Compliance for Power, Oil & Gas, Water Treatment, NERC-CIP, NEI 0809 and CFATS
Thursday, February 27, 2014
Wednesday, February 26, 2014
Cyber Security: Hackers using mobile devices to expose sensitive information in cyber attacks
Target, Neiman Marcus, Michaels and the University of Maryland. They’re all major retailers and institutions hit by hackers. So how are they getting all this data? Click here to find out.
Tuesday, February 25, 2014
Cyber Security: Latest iPhone update fixes major security flaw that Apple kept quiet
Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. Click here to read the article.
Monday, February 24, 2014
Cyber Security: ICS-CERT Vulnerability Summary for Week of February 24
Click the link below to view the summary of cyber security
vulnerabilities for the week of February 24 as collected and reported
by ICS-CERT.
http://www.us-cert.gov/ncas/bulletins/SB14-055
http://www.us-cert.gov/ncas/bulletins/SB14-055
Thursday, February 20, 2014
Cyber Security: E-Z-2-Use attack code exploits critical bug in majority of Android phones
Recently-released attack code exploiting a critical Android
vulnerability gives attackers a point-and-click interface for hacking a
majority of smartphones and tablets that run the Google operating
system, its creators said. Click here to read the article.
Wednesday, February 19, 2014
Cyber Security: Keeping the Holes Plugged
Charles Smith, consultant for Invensys Critical Infrastructure &
Security Practice, discusses patch management and "keeping the holes plugged."
Cyber security is so much more than firewalls and anti-virus software. All successful security solutions are part of an overall program that addresses who will manage, maintain, and upgrade the solution for its lifetime. The latest and greatest technology can’t really just be dropped in and expected to perform—you must match it with your plans and strategy. The message is: consider what the needs are, develop a program, and then determine the technical controls.
If you’ve started to delve into patch management due to regulatory requirements like NERC, or just as a good business “best practice,” you probably became quickly overwhelmed. In fact, you have probably felt like a person on a cold night with a blanket that is too small. You pull the blanket up to keep your chest warm but then your feet get cold. You pull the blanket down to get your feet warm, but then your chest gets cold. There is constantly a “hole” that you can’t plug to keep yourself warm. The same is true with patch management. Just when you think you have a good handle on Microsoft patches and have that automated, you have to deal with device firmware (PLCs, network equipment, network-connected peripherals) and the whole myriad of other software on the market. It also doesn’t help when many vendors list updates but are not forthcoming in saying which updates are security-related or not.
So, how do you deal with all this “patching uncertainty?” First, keep it simple and look at the title of what you are doing: patch management, not patching perfection. Patch management is all about prioritizing and managing risk. Before patching your environment, you need to establish a patch management program to help you evaluate, prioritize, test, and deploy patches. In some cases, you may even determine not to deploy a patch and rely on other security controls (i.e. compensating measures), such as the anti-virus software and firewall solutions you have in place to mitigate that risk.
How does this approach line up with regulatory requirements? In the case of NERC CIP, it fits in perfectly. For example, the title of NERC CIP 007 R3 Version 4 is “Security Patch Management,” which immediately tells you that your primary focus should be on “security” patches, not every patch ever created. In fact, this NERC CIP standard only requires three key things:
This is just the beginning of establishing a patch management program. Other items such as scope of equipment and software for patching must be determined. The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help our clients, no matter what industry. We are structured to help with an establishment of an entire cyber security program, not just patch management.
Keeping the Holes Plugged
In our March 2013 newsletter, Todd Wheeler gave some excellent guidance in selecting a patch management tool. That said, one of our team’s most common quotes is:Cyber security is so much more than firewalls and anti-virus software. All successful security solutions are part of an overall program that addresses who will manage, maintain, and upgrade the solution for its lifetime. The latest and greatest technology can’t really just be dropped in and expected to perform—you must match it with your plans and strategy. The message is: consider what the needs are, develop a program, and then determine the technical controls.
If you’ve started to delve into patch management due to regulatory requirements like NERC, or just as a good business “best practice,” you probably became quickly overwhelmed. In fact, you have probably felt like a person on a cold night with a blanket that is too small. You pull the blanket up to keep your chest warm but then your feet get cold. You pull the blanket down to get your feet warm, but then your chest gets cold. There is constantly a “hole” that you can’t plug to keep yourself warm. The same is true with patch management. Just when you think you have a good handle on Microsoft patches and have that automated, you have to deal with device firmware (PLCs, network equipment, network-connected peripherals) and the whole myriad of other software on the market. It also doesn’t help when many vendors list updates but are not forthcoming in saying which updates are security-related or not.
So, how do you deal with all this “patching uncertainty?” First, keep it simple and look at the title of what you are doing: patch management, not patching perfection. Patch management is all about prioritizing and managing risk. Before patching your environment, you need to establish a patch management program to help you evaluate, prioritize, test, and deploy patches. In some cases, you may even determine not to deploy a patch and rely on other security controls (i.e. compensating measures), such as the anti-virus software and firewall solutions you have in place to mitigate that risk.
How does this approach line up with regulatory requirements? In the case of NERC CIP, it fits in perfectly. For example, the title of NERC CIP 007 R3 Version 4 is “Security Patch Management,” which immediately tells you that your primary focus should be on “security” patches, not every patch ever created. In fact, this NERC CIP standard only requires three key things:
- Evaluate security patches within 30 days of their publication
- Document the implementation of patches (note that no timeframe is given for when you have to deploy the patch)
- Document compensating measures applied to mitigate risk when the patch is not installed
This is just the beginning of establishing a patch management program. Other items such as scope of equipment and software for patching must be determined. The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help our clients, no matter what industry. We are structured to help with an establishment of an entire cyber security program, not just patch management.
Tuesday, February 18, 2014
Cyber Security: Target’s cyber security staff raised concerns in months before breach
Target Corp.’s
computer security staff raised concerns about vulnerabilities in the
retailer’s payment card system at least two months before hackers stole
40 million credit and debit card numbers from its servers, people
familiar with the matter said. Click here to read the article.
Monday, February 17, 2014
Cyber Security: ICS-CERT Vulnerability Summary for Week of February 10
Click the link below to view the summary of cyber security
vulnerabilities for the week of February 10 as collected and reported
by ICS-CERT.
http://www.us-cert.gov/ncas/bulletins/SB14-048
http://www.us-cert.gov/ncas/bulletins/SB14-048
Thursday, February 13, 2014
Cyber Security: After years, U.S. chains finally turn to security industry to combat hackers
VeriFone Systems, RSA and Ingenico are poised for a gain in sales as U.S. retailers turn to makers of payment terminals and security software for help shoring up their anti-hacking defenses. Read the article here.
Wednesday, February 12, 2014
Cyber Security: 3 popular apps that could put your money at risk
Smartphones have made life much more convenient. With the ability to text, research the Internet, locate places on a map, and listen to music, these devices have allowed us to live easier lives. Read the article here.
Tuesday, February 11, 2014
Cyber Security: Vendor linked to Target data probe
Fazio Mechanical Services of western Pennsylvania has been identified as the third-party vendor through which hackers accessed Target's customer information. Click here to read the article.
Cyber Security: The Global Cyber Advisor Newsletter - Jan. 2014 Vol. 28
Welcome to the latest Global Cyber Advisor Newsletter!
Exciting times are here… not that Cyber Security has not been exciting enough in Process Automation. As you may know, Invensys was acquired by Schneider Electric on January 17, 2014. We are looking at the magnitude of cyber security possibilities to expand our reach to clients to spread our message and help secure more critical assets. The combination of the CISP Global Cyber Practice Invensys Portfolio along with the Schneider portfolio and cyber teams will provide us an unprecedented ability to help more clients and make our critical infrastructures more resilient to cyber attacks. Please join my team in exploring the possibilities that are in front of us.
Continuously Secure: Invensys continues to prove to the industry that we stay vigilant and help our customers develop their cyber strategies and secure their process environments. We have staff to help our clients on a global basis to assess, design, implement, and manage their cyber posture. Invensys has developed suites of products with complementary consulting, which are unmatched in the industry.
This month we excluded a submission from the Consultant’s Corner to include a letter about the acquisition of Invensys by Schneider Electric.
The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help our clients no matter what industry. We are structured to help with their entire Cyber Security program. We have essentially the industry’s largest vendor-based Cyber Security team that assists our clients secure their entire process environment. We understand that Cyber Security extends beyond a single system and our valued clients need assistance and advice in how to secure their entire plant infrastructure. Cyber security is so much more than product features, firewalls, and anti-virus software.
If you’ve missed our previous editions, you can find them at this location: http://iom.invensys.com/EN/Pages/CyberSecurity-Newsletters.aspx
Exciting times are here… not that Cyber Security has not been exciting enough in Process Automation. As you may know, Invensys was acquired by Schneider Electric on January 17, 2014. We are looking at the magnitude of cyber security possibilities to expand our reach to clients to spread our message and help secure more critical assets. The combination of the CISP Global Cyber Practice Invensys Portfolio along with the Schneider portfolio and cyber teams will provide us an unprecedented ability to help more clients and make our critical infrastructures more resilient to cyber attacks. Please join my team in exploring the possibilities that are in front of us.
Continuously Secure: Invensys continues to prove to the industry that we stay vigilant and help our customers develop their cyber strategies and secure their process environments. We have staff to help our clients on a global basis to assess, design, implement, and manage their cyber posture. Invensys has developed suites of products with complementary consulting, which are unmatched in the industry.
This month we excluded a submission from the Consultant’s Corner to include a letter about the acquisition of Invensys by Schneider Electric.
The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help our clients no matter what industry. We are structured to help with their entire Cyber Security program. We have essentially the industry’s largest vendor-based Cyber Security team that assists our clients secure their entire process environment. We understand that Cyber Security extends beyond a single system and our valued clients need assistance and advice in how to secure their entire plant infrastructure. Cyber security is so much more than product features, firewalls, and anti-virus software.
If you’ve missed our previous editions, you can find them at this location: http://iom.invensys.com/EN/Pages/CyberSecurity-Newsletters.aspx
Click here to open the January 2014 newsletter.
Monday, February 10, 2014
Cyber Security: ICS-CERT Vulnerability Summary for Week of February 3
Click the link below to view the summary of cyber security vulnerabilities for the week of February 3 as collected and reported by ICS-CERT.
http://www.us-cert.gov/ncas/bulletins/SB14-041
http://www.us-cert.gov/ncas/bulletins/SB14-041
Thursday, February 6, 2014
Cyber Security: Hackers Lift F-35 Plans, Infiltrate FBI Press Office
The
technical information on the joint strike fighter was intercepted before
reaching its intended recipient overseas. And the culprit, a
naturalized U.S. citizen, was arrested before he could flee. Click here to read the article.
Wednesday, February 5, 2014
Cyber Security: U.S. court system targeted in cyber attack
Unidentified hackers temporarily blocked access to the federal court
system's public website on January 24, preventing lawyers from filing legal
documents, Politico reported. Click here to read the article.
Tuesday, February 4, 2014
Cyber Security: FBI warns retailers of more cyber attacks
The U.S. Federal Bureau of Investigation warned U.S. retailers that
there will be more cyber attacks in a "disturbing" report describing how
vulnerable the $5 trillion industry is to hackers trying to steal
valuable customer data. Click here to read more.
Monday, February 3, 2014
Cyber Security: ICS-CERT Vulnerability Summary for Week of January 27
Click the link below to view the summary of cyber security vulnerabilities for the week of January 27 as collected and reported by ICS-CERT.
http://www.us-cert.gov/ncas/bulletins/SB14-034
http://www.us-cert.gov/ncas/bulletins/SB14-034
Subscribe to:
Posts (Atom)