Thursday, May 15, 2008

Management group warns CEO's of data-breach risks

Top-level managers and chief executives often do not realise the impact that IT-security incidents can have on their organisations, according to influential group the British-North American Committee.

In a report entitled Cyber Attack: A Risk Management Primer for CEOs and Directors, launched on Wednesday, the British-North American Committee (BNAC) said that chief executives underestimate the scale of data-security problems and fail to recognise the consequences of data breaches for business. BNAC is a group of business leaders and academics from the UK, US and Canada aimed at lobbying the governments of all three countries about management and business-related issues.

Labels: , ,

Rate this post: (Provided by NewsGator)

Cisco IOS Timebomb - one step closer...

The IOS vulnerability threat just ratcheted up a notch with another first - someone has actually developed a malicious rootkit for any version of IOS that runs on Cisco's routers, a development that has placed increasing scrutiny on the routers that make up the majority of the Internet and corporate networking infrastructure. The researcher will unveil his work on May 22 at the EuSecWest conference in London.

A Cisco rootkit is particularly worrisome because, like Microsoft's Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.

This will no doubt compound concerns by the FBI after their disclosure that vast quantities of counterfeit Cisco gear (from China) is being sold and installed into government and military networks. Rootkits could potentially be hiding in these routers with no current way of detecting them. The U.S. Federal Bureau of Investigation is taking the issue of counterfeit Cisco equipment very seriously, according to a leaked FBI presentation that underscores problems in the Cisco supply chain.

This is the next milestone in the IOS Vulnerability Saga we have predicted and been following for some years now. The last such milestone was the shocking disclosure of IOS Patching shellcode revealed by a researcher in 2005 that led to the infamous lawsuit and CiscoGate Saga as Cisco tried to quash the information. IOS patching shellcode could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS and details of how to accomplish this have been sketchy.

The shellcode revelations were very shocking because, until then, nobody thought you could actually build exploits for Cisco, but this rootkit is the next step to point-and-click IOS exploits. Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes Ullrich, chief research officer with the SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem.". In addition, as we have documented previously, patching IOS is no simple affair.

My company saw this coming almost 2 years ago and our teams developed a Secure Network Infrastructure Assessment for our clients concerned about the vulnerability of their IOS estate as well as the proper security configurations of these devices. It has had very brisk uptake so at least some early leaders are starting to introduce the required tools to mitigate this risk. We also have a little online IOS Security self-assessment if you own IOS real-estate and want to know if you should be concerned

Since May 2005 we have made several predictions/postings/observations on this topic:

March 2006
The challenge of Cisco device patching

December 2005
Lock down IOS in 10 steps
Hacking to change tack in 2006
Cisco's Chambers on IOS vulnerabilities
ISS withholding another 15 IOS vulnerabilities

November 2005
IOS exploit and auditing tools
IOS makes it to SANS Top-20 vulnerability list
Security set back six years
Cisco IOS next big concern
New IOS flaw patched

September 2005
New critical IOS flaw

August 2005 breached
CiscoGate:The Lynn interview
CiscoGate:Advice for customers
CiscoGate:Microsoft shows the way
Cisco IOS Flaw saga continues

July 2005
Pulled IOS presentation spreads like wildfire
Cisco & ISS Public Relations disaster
Cisco & ISS file for injunction at BlackHat
Cisco coverup ignites BlackHat controversy
Cisco warns of serious IOS flaws

June 2005
Hackers to target Cisco next?

May 2005
Best you patch your IOS now
The challenge of Cisco Network Device Patching
Rate this post: (Provided by NewsGator)

Friday, April 11, 2008

Power Grid hacked in no time

Researchers who launched an experimental cyber attack caused a generator to self-destruct, alarming the federal government and electrical industry about what might happen if such an attack were carried out on a larger scale.

Some experts fear bigger, coordinated attacks could cause widespread damage to electric infrastructure that could take months to fix. In a previously classified video of the test, the generator shakes and smokes, and then stops.
Rate this post: (Provided by NewsGator)

Thursday, February 28, 2008

How recession proof is IT security?

Leading economists have recently increased their projections of a likelihood of an economic recession in the United Kingdom, Japan and the United States. These countries together comprise 42% of the world's gross domestic product (GDP). Even though many other economies are growing quite vigorously it is inevitable they will feel the effects and themselves could be facing difficult economic times ahead in this increasingly globalized world.

With every day bringing increasing concern for the near-term health of some of the world's largest economies, many clients can expect to receive mandates from senior executives to cut IT costs as part of an enterprise cost-cutting program.

Just how will this effect IT Security? There is a train of thought that the security industry is rather resilient to recessionary cutbacks. Let’s examine this for a moment:

During cost cutting, there are inevitably staff layoffs and it is exactly during these times that the insider threat/disgruntled employee cloud looms and some say you should tighten up security during these times. The recent PWC InfoSec survey shows that 60% of breaches are from insiders and disgruntled employees.

Others say that as profits drop, corporates have less “buffer” or “luxury” to absorb business interruptions, lawsuits, bad publicity, loss of consumer confidence and loss of confidential data to competitors and as such security actually becomes elevated during tough economic times.

As clients in-source and out-source to cut costs in tough times, the security issue comes to the fore again. This is my favorite topic and we even have a white paper on this over here : Outsourcing can lead to bad security

Also, regulations and compliance requirements don’t scale back during slowdowns so whilst more rigor will be applied in cutting costs and choosing vendors, these initiatives will nonetheless proceed.

Hackers, script kiddies, organized crime, espionage, spammers, phishers, viruses and worms don’t slow down with economies. Neither does loss of laptops, PDA’s and tapes with confidential information due to mistakes/negligence. And neither does the disclosure laws or the bad press that accompany breaches. The appearance of new threats don't slow down with economies either. Anyone doubting a further onslaught in 2008/9 by new and emerging threats only need to look at SAN's predictions for threats in 2008.

Clients will also turn to technology such as Virtualisation, Unified Comms, Teleworking and perhaps IP Telephony to save costs and improve efficiencies and as we know these areas all suffer from complex security issues.

Finaly, Infosec is still top of CIO’s priorities. We can look to a very recent Goldman Sachs survey among CIO’s of Global Fortune 1000 companies as to where spending priorities lie. The top six IT initiatives that remain strong among IT buyers are:

1-business intelligence,
2-server virtualization,
4-application integration,
5-server consolidation and
6-ERP software.

In conclusion, whilst there will be more acute due diligence and sales cycles might extend I do not believe this market will slow down or feel the effects of macroeconomic slowdown as much as other segments.

Labels: , , ,

Rate this post: (Provided by NewsGator)

Tuesday, February 26, 2008

Top 10 cyber security menaces for 2008

Rate this post: (Provided by NewsGator)