Blog

  • 01 Dec 2015 9:45 AM | Anonymous
    • Hong Kong-based VTech, a major maker of tech-based toys, said it was hacked in November, alarming security experts and parents.

    • Hackers accessed information like passwords, IP addresses, physical addresses as well as the gender and ages of children, photos of children, and some chat data.

    • No credit-card information was at risk, and the company has shut down some of its web operations as a precaution, according to reports.

    The news of this hack, involving the identities of children, comes at a time when tech-based toys are among the most popular this holiday season.

    And it comes as toy sales are destined to have one of their best years in more than a decade, according to NPD Group, with growth stoked in large part by improved technology. 

    "The selection is much greater than in the past," Jim Silver, editor-in-chief of online toy review site TTPM, told the Associated Press. "Technology is much better in the toy aisle, and it's really inspiring young kids to play but also bringing older kids to things like radio control and role play items."

    The news of this hack could make parents think twice about how chip-embedded toys could put the identifies of their children at risk. And while security breaches have become commonplace, once they affect children, people are naturally more alarmed, according to cyber-security expert Troy Hunt.

    “When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts,” Hunt wrote on his blog regarding the VTech hack. “When it includes their parents as well – along with their home address – and you can link the two and emphatically say 'Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)', I start to run out of superlatives to even describe how bad that is.” 

    SOURCE: http://www.retaildive.com/news/massive-hack-of-toy-retailer-vtech-exposes-childrens-data/410021/

  • 25 Sep 2015 7:29 AM | Mike Fleck (Administrator)
    Charter member of C2, CipherPoint Software, is allowing C2 members to access Forrester Research's Security Maturity Assessment. Please visit the link below and take the abridged (10 question) version of the questionnaire. Once you've taken the short assessment, you will be able to access to the full Forrester model. Don't forget to mention that you're a member of Colorado Cyber or otherwise part of the Colorado information security community. https://www.surveygizmo.com/s3/2184107/Cipherpoint-Survey
  • 27 Aug 2015 2:00 PM | Alex Kreilein

    "He who defends everything defends nothing." - Frederick the Great

    Identifying vulnerabilities is, at best, only half of the battle.  The discovery of vulnerabilities is critical to mitigation; however, vulnerability discovery divorced from risk-informed thinking is functionally useless.

    Modern enterprises consist of tens of thousands of systems and services.  Assume that ACME Corp. is an enterprise that has 100,000-networked components.  A vulnerability rate of 1% of these systems leaves 1,000 systems at risk.  Is that a lot? It depends.

    Rather than think of the situation in terms of real numbers, which is generally meaningless, it is important to consider not how many systems are vulnerable but rather what is the risk of compromise.  Absolute numbers have their place but mean very little in operational environments.

    Risk can be conceptualized as a function of likelihood and consequenceTo put it another way; it is the chance that a system will be compromised and an assessment of how significant would that compromise be.

    This is important thinking because not all vulnerabilities are equal.  That’s why the real number of 1,000 vulnerabilities is useless.

    If ACME Corp.’s network has vulnerabilities deep in the architecture – past multiple firewalls, intrusion detection/prevention systems, a solid SIEM, on an encrypted database, which is protected by solid PKI integration – it is very unlikely that an attacker will susseccfully exploit a vulnerability and actualize an attack causing consequential outcomes.  On the other hand, if I am a person of significant interest, my endpoint is totally unprotected, and I’m running a really out of date OS – I am going to get popped.

    This matters because organizations operate under constraints.  No matter the size, this is true all of the time.  And in circumstances of constraint, operators need to pick and choose.  The one time that the total real number of risks is important is when a pairwise analysis is required in order to prioritize mitigations, which have financial, technical, and human resource costs in addition to their consequence and likelihood driven score.  But the process by which this is done requires a deep understanding of network, application, and system security.  It also requires knowledge of quantitative and qualitative risk analysis, criminal psychology, and threat intelligence analysis.  That is why no thoughtful approach can divorce the technical from the analytical and still be successful.

    Those who do not understand this type of thinking are at a true disadvantage.  Sadly, much of today’s industry practices embolden people to use a tool they don’t understand and print out a report of vulnerabilities that they have not analyzed.  As practitioners, we believe that informed thinking matters if for nothing else then it ensures operators can make increasingly optimal choices under their constraints.  "This is what the tool told me" is simply not an answer anyone should be proud to give.

    We are proud that the Entrepy Academy teaches this kind of technical and analytical thinking.  To give a taste of the excellent professional education we will be turning up, we will be running active defense and active offensive community events starting in October.  This hands on training will be available to the public for a low cost as our way of giving first to the community.  Immersive and lab-based, all of our individual modules will culminate in a massive region-wide Capture The Flag (CTF).  Stay in touch with us to learn more about what we'll be putting in our community and how we will be training up thousands of exceptionally well qualified information security professionals.  We are confident that our approach will separate our graduates from the chaff.

    @Alex_Kreilein

    Managing Partner

    Entrepy, LLC


  • 24 Aug 2015 1:10 PM | Tom Smith

    I was at an event earlier this year where Gus Hunt, former CTO of the CIA, said "Here is where we need to get to. What if he bad guys got in, stole your data, and you didn't care?  That's the goal!"

    That’s a formidable goal, but it sure makes sense. What if you opened the door, let the bad guys in and said have at it.

    In addition to better firewalls, end point protection, SIEMs, threat intelligence and predictive technologies, what if we were more proactive about protection at the individual data level.

    It’s increasingly difficult to stay abreast of all that’s necessary. Companies need to repel thousands or millions of attacks, while hackers need to only break through once. The odds don't seem to be in our favor.

    This message rings loud and clear in a McKinsey/World Economic Forum book I’m reading called Beyond Cybersecurity: Protecting Your Digital Business, which coins the term Digital Resilience and aligns with Gus' point. So many historical cybersecurity technologies have been focused on keeping the bad guys out, the digital resilience concept twists the thinking a bit. It acknowledges that companies are very likely to be hacked, and as such, an increasing and perhaps different focus should be on protecting the data.

    So digital resilience is about preparing for that one attack that gets through, whether the breach comes from the outside, or even from the inside.

    According to the book, to achieve digital resilience, companies need to undergo fundamental organizational changes, including integrating cybersecurity with business processes and how they manage IT. The CISOs who participated in a panel at Colorado Cyber’s Inaugural event reinforced this viewpoint – that some of the biggest issues in security have to do with people and process.  Not technology!

    So what do we do?

    Specifically, the book characterizes seven hallmarks of digital resilience:

    1. Prioritize information assets based on business risks
    2. Provide differentiated protection for the most important assets
    3. Integrate cybersecurity into enterprise-wide risk management and governance processes
    4. Enlist frontline personnel to protect the information assets they use
    5. Integrate cybersecurity into the technology environment
    6. Deploy active defenses to engage attackers
    7. Test continuously to improve incident response across business functions

    Everyone’s evolving. Technologists are. Hackers are. Just read the latest Ponemon or Verizon Breach Report, among others, to see the increasing prevalence of breaches occurring across industries. No one organization is immune.

    What’s the answer to all of this?  Maybe today’s answer is that it’s the combination. The combination of leading technologies, enhanced business processes, and digital resilience – along with increased internal mindshare on security – on which companies ought to be focused.

    One thing we know, hackers will get in. How can we make it difficult for them to penetrate? How quickly can we detect it? How meaningless can we make the data we serve them on the proverbial silver platter? All formidable, yet honorable, goals.

  • 18 Aug 2015 1:20 PM | Mike Fleck (Administrator)

    Would you do security differently if you knew that attackers have already compromised your network?

    In the late 1990s, it made sense to emphasize perimeter security such as firewalls and network intrusion detection solutions. As the corporate network perimeter has dissolved over the past few years, however, other technologies such as data loss prevention, user behavior analytics, and encryption have become important.

    I tend to reduce the security space to three main categories:
    • Trying to keep attackers off your network
    • Trying to detect attackers that are on your network
    • Trying to keep attackers from stealing data

    The challenge for any Chief Information Security Officer is to allocate the proper budget and resources to these three categories. Trying to keep attackers off the network is a necessary pursuit but it is only effective for unsophisticated, non-targeted attackers. Next Generation firewalls are flying off the shelves but many security professionals I talk to are buying them for the costs savings associated with consolidating hardware; they are not expecting any fundamental improvements in their ability to stop sophisticated attacks.

    Trying to detect attackers that are on your network is a promising and relatively new approach. There are several user behavior and security analytics solutions available and some enterprises have been able to successfully integrate their Security Event Management solutions with other technologies to build effective event correlation platforms. There is still a lot of work to be done, however, as the time to detect a compromise is measured in months, not minutes.

    Which brings us to the third initiative – securing data. This is arguably the hardest thing to do as applications, workflows, and other processes don’t always lend themselves to the insertion of automated technical controls. Having said that, information is ultimately what most attackers are trying to steal so organizations should locate the information most likely to be a target for sophisticated attackers and put in the effort required to reduce the risk of that information “sprouting legs.”

    Effective security architectures require a combination of these three initiatives. I believe that the best way to decide the proper mix of the three is to assume that attackers are already on your network, you won’t find them until it’s too late, and they are trying to steal data while you’re reading this blog. Starting with that mindset is much more effective than beginning with how to keep attackers at bay. This shift in thinking is also effective for helping executive management better understand the need for increased investments in security.
     

  • 14 Aug 2015 3:30 PM | Anonymous

    Hackers are good. I mean really good. According to the latest Verizon’s Data Breach Investigations Report, more than 75% of the attacks are coming in through email either with an attachment or link.

    How many of your employees are up to speed on what they could do to ensure they’re not “the one” who accidentally enables a hacker to penetrate your organization?

    On average, phishing emails are getting almost 25% response rates. Take those numbers to your marketing teams. They’ll be impressed! Think about it. If the bad guys send an email to four people in your organization, at least one of them is going to click.  Yikes!

    It almost makes you want to halt email altogether – or ask the hackers to join your marketing team.

    So this is a problem. We get it. But what are you doing to equip your organization with the knowledge and restraint when it comes to email and cybersecurity?  How are you training your teams to not click on suspicious, or possibly even not-so-suspicious emails?

    Some organizations are taking a pretty hard-lined approach. I recently tried to send an email to someone at IKEA. It took five tries on five different email accounts I owned to actually get one through. And I wasn’t just looking for a missing part for my new IKEA chair. This was legitimate business, a legitimate email exchange. While I’m glad for IKEA that it appears to be really, really secure, yet I wonder how much time its partners are wasting trying to communicate.

    Is better end-point protection the answer? Yes.  Is better training to your employees about what’s coming in their inboxes and what your teams can do to not be “the one” the answer? Yes. Is cutting your organization off from the rest of society the answer. Probably not.

    It’s time to create some awareness among your entire organization. Get your Human Resources teams involved. Create some good cybersecurity training. Take a page from the manufacturing handbook on safety and start communicating how many days, weeks, months (minutes?) it has been since your organization suffered an incident, or worse, a breach? Let people know what they can do to make a difference.

    And let’s bring those hacker response rates down to the levels they deserve!



Colorado Cyber...an alliance with the Colorado Technology Association                                                                        
www.coloradocyber.com
info@coloradocyber.com
720-900-6200

Powered by Wild Apricot Membership Software