Thursday, February 27, 2014

Cyber Security: Neiman Marcus missed 60,000 alerts about card hack

One month after Neiman Marcus was struck by a massive credit card hack, a new report published by Businessweek sheds more light into the breach. Click here for the article.


Wednesday, February 26, 2014

Cyber Security: Hackers using mobile devices to expose sensitive information in cyber attacks

Target, Neiman Marcus, Michaels and the University of Maryland. They’re all major retailers and institutions hit by hackers. So how are they getting all this data? Click here to find out.


Monday, February 24, 2014

Thursday, February 20, 2014

Cyber Security: E-Z-2-Use attack code exploits critical bug in majority of Android phones

Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and tablets that run the Google operating system, its creators said. Click here to read the article.


Wednesday, February 19, 2014

Cyber Security: Keeping the Holes Plugged

Charles Smith, consultant for Invensys Critical Infrastructure & Security Practice, discusses patch management and "keeping the holes plugged."


Keeping the Holes Plugged

In our March 2013 newsletter, Todd Wheeler gave some excellent guidance in selecting a patch management tool. That said, one of our team’s most common quotes is:

Cyber security is so much more than firewalls and anti-virus software. All successful security solutions are part of an overall program that addresses who will manage, maintain, and upgrade the solution for its lifetime. The latest and greatest technology can’t really just be dropped in and expected to perform—you must match it with your plans and strategy. The message is: consider what the needs are, develop a program, and then determine the technical controls.

If you’ve started to delve into patch management due to regulatory requirements like NERC, or just as a good business “best practice,” you probably became quickly overwhelmed. In fact, you have probably felt like a person on a cold night with a blanket that is too small. You pull the blanket up to keep your chest warm but then your feet get cold. You pull the blanket down to get your feet warm, but then your chest gets cold. There is constantly a “hole” that you can’t plug to keep yourself warm. The same is true with patch management. Just when you think you have a good handle on Microsoft patches and have that automated, you have to deal with device firmware (PLCs, network equipment, network-connected peripherals) and the whole myriad of other software on the market. It also doesn’t help when many vendors list updates but are not forthcoming in saying which updates are security-related or not.

So, how do you deal with all this “patching uncertainty?” First, keep it simple and look at the title of what you are doing: patch management, not patching perfection. Patch management is all about prioritizing and managing risk. Before patching your environment, you need to establish a patch management program to help you evaluate, prioritize, test, and deploy patches. In some cases, you may even determine not to deploy a patch and rely on other security controls (i.e. compensating measures), such as the anti-virus software and firewall solutions you have in place to mitigate that risk.

How does this approach line up with regulatory requirements? In the case of NERC CIP, it fits in perfectly. For example, the title of NERC CIP 007 R3 Version 4 is “Security Patch Management,” which immediately tells you that your primary focus should be on “security” patches, not every patch ever created. In fact, this NERC CIP standard only requires three key things:

  1. Evaluate security patches within 30 days of their publication
  2. Document the implementation of patches (note that no timeframe is given for when you have to deploy the patch)
  3. Document compensating measures applied to mitigate risk when the patch is not installed
This gives power generation facilities the flexibility they need to develop a patch management program that includes adequate time to prioritize, test, and deploy patches without the patch itself becoming a threat to reliability of the electrical grid. If installing a patch threatens reliability, then a generation facility can schedule the patch at a time that minimizes that risk or decide not to deploy it.

This is just the beginning of establishing a patch management program. Other items such as scope of equipment and software for patching must be determined. The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help our clients, no matter what industry. We are structured to help with an establishment of an entire cyber security program, not just patch management.

Tuesday, February 18, 2014

Cyber Security: Target’s cyber security staff raised concerns in months before breach

Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said. Click here to read the article.


Monday, February 17, 2014

Thursday, February 13, 2014

Cyber Security: After years, U.S. chains finally turn to security industry to combat hackers

VeriFone Systems, RSA and Ingenico are poised for a gain in sales as U.S. retailers turn to makers of payment terminals and security software for help shoring up their anti-hacking defenses. Read the article here.

Wednesday, February 12, 2014

Cyber Security: 3 popular apps that could put your money at risk

Smartphones have made life much more convenient. With the ability to text, research the Internet, locate places on a map, and listen to music, these devices have allowed us to live easier lives. Read the article here.

Tuesday, February 11, 2014

Cyber Security: Vendor linked to Target data probe

Fazio Mechanical Services of western Pennsylvania has been identified as the third-party vendor through which hackers accessed Target's customer information. Click here to read the article.

Cyber Security: The Global Cyber Advisor Newsletter - Jan. 2014 Vol. 28

Welcome to the latest Global Cyber Advisor Newsletter!

Exciting times are here… not that Cyber Security has not been exciting enough in Process Automation. As you may know, Invensys was acquired by Schneider Electric on January 17, 2014.   We are looking at the magnitude of cyber security possibilities to expand our reach to clients to spread our message and help secure more critical assets. The combination of the CISP Global Cyber Practice Invensys Portfolio along with the Schneider portfolio and cyber teams will provide us an unprecedented ability to help more clients and make our critical infrastructures more resilient to cyber attacks.   Please join my team in exploring the possibilities that are in front of us.

Continuously Secure:   Invensys continues to prove to the industry that we stay vigilant and help our customers develop their cyber strategies and secure their process environments. We have staff to help our clients on a global basis to assess, design, implement, and manage their cyber posture. Invensys has developed suites of products with complementary consulting, which are unmatched in the industry.  

This month we excluded a submission from the Consultant’s Corner to include a letter about the acquisition of Invensys by Schneider Electric.
                                                                                             
The Invensys Critical Infrastructure and Security Practice has the skills and the resources to help our clients no matter what industry. We are structured to help with their entire Cyber Security program.   We have essentially the industry’s largest vendor-based Cyber Security team that assists our clients secure their entire process environment. We understand that Cyber Security extends beyond a single system and our valued clients need assistance and advice in how to secure their entire plant infrastructure. Cyber security is so much more than product features,  firewalls, and anti-virus software. 

If you’ve missed our previous editions, you can find them at this location:   http://iom.invensys.com/EN/Pages/CyberSecurity-Newsletters.aspx

Click here to open the January 2014 newsletter.


Monday, February 10, 2014

Thursday, February 6, 2014

Cyber Security: Hackers Lift F-35 Plans, Infiltrate FBI Press Office

The technical information on the joint strike fighter was intercepted before reaching its intended recipient overseas. And the culprit, a naturalized U.S. citizen, was arrested before he could flee. Click here to read the article.



Wednesday, February 5, 2014

Cyber Security: U.S. court system targeted in cyber attack

Unidentified hackers temporarily blocked access to the federal court system's public website on January 24, preventing lawyers from filing legal documents, Politico reported. Click here to read the article.


Tuesday, February 4, 2014

Cyber Security: FBI warns retailers of more cyber attacks

The U.S. Federal Bureau of Investigation warned U.S. retailers that there will be more cyber attacks in a "disturbing" report describing how vulnerable the $5 trillion industry is to hackers trying to steal valuable customer data. Click here to read more.


Monday, February 3, 2014