Computer Security Specialist

Companies are Really Using Intrusion Prevention Systems

2012-01-06T08:10:00.000-08:00

With cloud sharing gaining great popularity the need for the use of an intrusion prevention system is increasing. Many companies especially those involved in e-commerce are working hard to ensure their customers' privacy. Because technology is changing so much, so quickly companies large and small are taking cautionary measures. Intrusion prevention systems are very helpful in preventing/curbing hacker access to important information. They are an extra barrier alongside your firewall protection.

What does it do?
Intrusion prevention systems monitor networks and systems for malicious activity. The main job of intrusion prevention systems is to identify malicious activity, make note of it and then try to block or discontinue the action. Once that is done the activity is then reported. Being able to identify the intrusion also helps the company to figure where there are leaks and how their system can be improved. Without this system you can leave your company susceptible to all kinds of risks.

What types are available?
Intrusion prevention systems do come in different types such as network-based, wireless, network behavior analysis and host-based intrusion prevention. They all serve the same purpose, but may go about it a little differently or just work on different systems. Network-based oversees the whole network for malicious activity. Wireless monitors a wireless network for malicious traffic. Network- behavior analysis observes network traffic to find red flags that change traffic activity. Host-based is a software package that you can install. It monitors one host for malicious or unusual traffic activity.

Tips for Small Businesses from a Cyber Security Expert

2011-09-14T07:10:00.000-07:00

The Internet offers small businesses a competitive advantage in a tough market thanks to the exposure they receive online. However, while they can compete with larger businesses online in terms of marketing and visibility, their IT budgets and security efforts simply can't keep up. Cybercriminals realize that small businesses are easy targets because they are less likely to have a security plan in place. Here are tips for small businesses from a cyber security expert whose personal mission is to secure organizations by creating solutions to unique and complex computer problems.

Create an Internet Policy
One of the best ways to keep critical data protected is by establishing guidelines and boundaries for employees, no matter how small the organization may be. An Internet use policy lets employees know what software and files are okay to download, how to create strong passwords, and which websites cannot be viewed while surfing the Web. Any security expert would agree that letting employees know their responsibilities when it comes to using the Internet is the first step towards a comprehensive security plan.

Install the Latest Anti-Virus Software
Most new computers come with anti-virus and anti-malware programs installed. However, an experienced cyber security expert recommends going above and beyond these basic software packages by purchasing a comprehensive security suite. Not only do they detect threats, but they automatically repair the system every time viruses or malware is detected. According to a computer security specialist, increasing the protection of critical data by paying for additional safety features is worth the investment because it brings small business owners the peace of mind they need.

Secure Wireless Connections
Some business owners do not secure their wireless connections because they don't realize how important this step is when it comes to protecting the company's information. If they had the same knowledge and experience as a trained cyber security expert, they would realize just how serious this threat is. Here are a few simple steps business owners can take to secure these connections:
• Change passwords regularly
• Add a VPN service
• Limit access to the network

Security Expert Advice: Choosing Strong Passwords

2011-09-14T07:05:00.000-07:00

So far, 2011 has been a big year for cyber-attacks. American businesses and the United States government were the targets of hackers who stole credit card information, took down websites, and deleted military files. These attacks sent companies and government agencies scrambling to explain how their data was stolen, compromised, or lost. It also forced them to examine their computer security practices. As they attempt to pick up the pieces, security experts are using these events to emphasize the importance of good risk management – namely preventing targeted attacks against companies before it's too late. One way of increasing cyber security is by creating strong passwords. Here are tips for protecting your personal or professional digital identity, straight from a computer security specialist.

• Use a combination of letters and numbers – never use only one or the other.
• Stay away from using names of spouses, children, or pets.
• Use a bizarre combination of words that only you would remember.
• Don't use your phone number or birthday – these are considered "weak" passwords.

Just about everyone has at least one password; some people have upwards of ten. According to technology writer Clive Thompson, "the truth is we humans are pretty bad at remembering characters that make for a really strong password." For people who need multiple passwords, remembering just one would be easier but such a shortcut is also dangerous. As difficult as it may be, the importance of choosing a unique and complex combination of letters and numbers cannot be emphasized enough. Any experienced security expert will tell you that weak and non-existent passwords are partly to blame for online security breaches, so your safety depends on generating a strong password for each different account.

Tips for Using an Expert Witness Effectively

2011-09-14T06:54:00.000-07:00

In our culture we are urged to "trust the expert" – even in a court of law. The simple fact that the testimony of an expert witness is admissible in a trial shows how much we value the opinions of people who are considered authorities in their fields. This can have a very persuasive effect on a case, as long as the experts are carefully chosen and thoroughly prepared. Here are some tips for using an expert witness successfully.

• Examine the case and determine what kind of expert you need.
• Search trade organizations, referrals, and the Internet for expert witness options.
• Analyze potential experts based on the following: reputation, experience, qualifications, scholarly work
• Choose as many as necessary, and make sure to fully understand their opinions.
• Help the expert witness become familiar with the case.
• Work with the expert on his or her report through guidance, but it should reflect his or her own opinions.
• Prepare the witness for examination.

From selection to a successful testimony at trail, there is a lot of research and preparation that goes into finding the best expert witness. Just because a person has a lot of experience in his or her field doesn't necessarily mean he or she has what it takes to deliver a successful expert witness testimony. Interview every option and spend time talking with them to find experts who have pleasing yet firm personalities and perform well under the highest degree of pressure.

Travel Tips from a Security Expert

2011-09-12T10:31:00.001-07:00

Most businesses recognize the critical need to implement security measures in the office. Now that people can connect to wireless networks through their mobile devices, new technologies are breaking down office walls. And according to any security expert, this raises serious concerns. Businesses whose employees travel, work from home, or simply view important documents on their laptops or smartphones anywhere they go are exposing critical data to hackers, cybercriminals, and other security breaches. Here we will focus on tips for staying protected while traveling, straight from a computer security specialist.

Backup your mobile devices – including laptops and cell phones – before taking that important business trip. If you have any important information stored on them that you won't need during the trip – don't bring it with you. When you return you will be able to put any and all of this data back onto your devices if necessary.

Any security expert will tell you to make sure your anti-virus software is current. This will prevent your devices from being infected by dangerous viruses and malware that can damage your system and affect important data files. It is important to have this software enabled during the entire trip. Taking a vacation from your anti-virus security software is a mistake that can cost you critical information, or worse – your job.

Use a hard-wired connection whenever you can. Sure wireless networks are convenient, but they carry a higher risk of security breaches. Many hotels come equipped with a cable you can use, but if you don't see one in the room, ask the front desk. If you must use a wireless connection, either at the hotel or in the airport, only use encrypted hotspots for maximum protection.

Important Qualities in a Data Security Keynote Speaker

2011-09-12T07:06:00.000-07:00

When it comes to corporate events, conferences, and retreats, nothing is worse than a boring guest speaker. Unless the audience is properly informed and entertained, the message could fall flat, causing the entire event to lose steam. In order to keep the momentum going during these events, it's important to choose a keynote speaker who is credible, professional, and charismatic all at the same time. Here are some of the things to look for in an effective data security keynote speaker to maximize the impact of your next big event.

Experience:

Dr. Eric Cole has extensive experience as a cyber-security expert. He has over 20 years of hands-on experience in the industry, in which he thrives on creating new companies, organizations, and products. Dr. Cole is an expert witness in cyber security, which is a testament to his broad background in the computer world as well as his professional and approachable demeanor in everything he does. This experience has helped him become a knowledgeable keynote speaker who can turn complex topics into simple concepts.

Entertain:

The key to an effective guest speaker is being able to entertain an entire room while remaining professional, credible, and knowledgeable. Taking a potentially boring topic like Internet security and turning it into an interesting presentation isn't easy, but Dr. Cole is able to bring technology topics to life. Full of practical information based on his personal experiences, Dr. Cole's presentations continue to captivate audiences and inspire people to apply his solutions to their everyday lives. Read some of the sample topics he has addressed during his career as a data security keynote speaker by clicking here.
If you are looking for a guest speaker who can provide practical solutions to complex business problems, contact Dr. Eric Cole. As an experienced data security keynote speaker, his meaningful presentations can help your organization embrace technology in a safe, secure, and beneficial way.

Cyber Security Is A Critical Element In The Modern Business World

2011-06-28T10:48:00.000-07:00

In today's business world, nearly everyone is connected to the internet in some way, shape or form. It's virtually unavoidable. Businesses conduct majority of their operations online and through electronic mediums. Whether you walk into a store and make a purchase with a credit card or decide to engage in an online transaction between two businesses, information is being stored, moved and analyzed via electronics.

Someone has the ability to access this kind of data somewhere, whether it is a company that handles your credit card information or a medical office that has your social security number. At one point or another, all data is accessible which means that cyber security is a critical element to every company's success.

How does your business prepare against attacks? Do you have a plan of action to defend against hackers and criminals that seek to undermine your security and steal valuable information? The network security of your business is the lifeblood, and if it is at risk, the entire network is susceptible. If technology is not something that you understand thoroughly or have had much experience with then investing in security consultants could be one of the best choices that you could make.

Companies of all sizes evaluate their risk analysis and probe their defenses for weak spots. The best way to make sure that your company has the ability to successfully defend against a cyber-attack is to get an individual or organization in there that is completely familiar with protecting companies against these types of threats. Whether it is an IT risk assessment that you need or you have to conduct a penetration test of your network, Secure Anchor can help meet and exceed your cyber-security needs.

Your Network Security Is As Important As Locking Your Front Door

2011-04-25T12:19:00.000-07:00

Security throughout a company’s network, websites and business dealings has become even more critical than even just a few years ago; with different hackers and criminals trying to break through one’s network security at any given time, both your employees and your customers expect that their secure information is to be the highest priority. If an attack or loss of data occurs, it can seriously damage a company’s reputation in the public’s eye, as well as cause employees to question whether their private information is really safe at their job.

Computer network security is an investment that all businesses should make, especially in light of the fact that cybercrime has continued to grow exponentially as a threat to all businesses; this is not even limited to just your business located in the United States, but also worldwide. This type of criminal activity is unlike anything the world has seen before, and many businesses are now recognizing the reality of needing a secure defense against such threats. Smaller businesses can fall prey to these attempts as well, which is why it is critical to invest in a security assessment of one’s current procedures, methods and defenses.

Having a professional organization evaluate your resources for any security leaks or issues can be beneficial for both your short and long-term interests. A threat analysis is a great way to test your current defenses to discover what kind of data a hacker can currently breach, if any. A penetration test also allows one to assess how a hacker can find ways into your current organization; with a focus not just on a success or failure rating, this test explores all potential outcomes and avenues that a criminal might take. Altogether, investing in this type of technology is a great idea for your business, whether you are a start-up company or a business with twenty years of experience.

With New Cyber Terror Threats, Investing In Cyber Security Is More Important Than Ever

2011-03-01T07:44:00.000-08:00

In our times, network security is the most critical aspect and function of any business; almost all business are connected to online data in some way. Even smaller companies such as small music store chains have specific email passwords and critical data that can be easily hacked by criminals. To avoid these types of issues and to eliminate the chances of such security breaches, computer network security should be your number one priority. There are criminals out there unlike what the world has previously witnessed; these are not people who wait to break in to your business at night. The modern criminal is rapidly becoming a cyber threat; unseen, unheard and many times unstoppable to those who do not have proper cyber security.

The threat is growing across the world as well; enemies of America and other countries throughout the world are rapidly planning more cyber-attacks than ever before. Federal institutions have had their websites targeted and taken over by terror organizations, and the threat continues to grow. It is only a matter of time before terrorist cells will see the harm they can cause by targeting the websites of average, everyday business, and conduct terror opportunities through the internet and cyberspace. Network security should be more important than ever to every business owner; why take the risk of losing the trust of your customers and employees? Protect your business from the unseen threats in the world, just as you would protect it from physical threats.

The Importance of Cyber Security

2011-02-25T05:51:00.000-08:00

Cyber security is crucial to any major business, for many different reasons. We are here to provide the highest quality cyber security. To give a background on cyber security, the United States Department of National Security defines cyber security as, “preventing, detecting, and responding to attacks.” We have a staff of cyber security experts, who can handle all three of those aspects.
    Without cyber security, your network is at high risk. For starters, without cyber security a virus can completely erase any and all data, from your network. Also, a hacker can easily invade your network, without the proper cyber security service. This means, they can alter your private information, steal your credit card numbers, or even take the private information of your customers. Once skilled hackers have this information, they can cause serious financial damage. Our cyber security services ensure your valuable information stays protected.
    Our cyber security team customizes cyber security to fit the needs of your company. Just like people, no two businesses are the same. We will take in all of your information and set up the perfect cyber security plan. One of the greatest features to our cyber security service is a penetration test. A penetration test shows exactly how vulnerable your network is. The penetration test simulates hackers, trying to steal your valuable information. Our cyber security service can take the information from a penetration test and know the exact parts of your network, which need higher cyber security.
    Our cyber security services have been trusted by Fortune 500 companies, as well as, the military and legal industries. Just to name a few. We have the cyber security experience needed to be a leader in the cyber security field. When your company needs the highest quality cyber security, our cyber security specialists are happy to help.

The Importance of the Insider Threat to Security Experts

2011-01-06T08:38:00.000-08:00

"I trust everyone, it is the devil inside that I do not trust," is a great line from the movie The Italian Job. Every single person has the potential to do harm if the right circumstances occur. Yes this includes employees. This presents a great deal of trouble to security experts. Why is it that once a total stranger is hired at your company, you now completely trust that person? Just because they are now called an employee does not mean they have loyalty to your organization and would do nothing to hurt the company. Many organizations perform no background checks and no reference checks and as long as the hiring manager likes them, they will hire them. Many people might not be who you think they are and not properly validating them can be an expensive, if not a fatal, mistake. Because most organizations hire complete strangers, without consulting security experts, and then give them access to sensitive data, all organizations must worry about the insider threat. Too much paranoia can cripple an organization but the right amount can protect it. Just ask yourself a couple of simple questions:

If someone was fired from a previous company for stealing or unethical activity, would you know?

If someone was currently stealing or perform stealthy activity against your organization today, how would you know?

When an organization posts a job opening, it can take weeks until the first interview occurs. All a competitor has to do is prep someone to ace the interview and then they are in. The fact that it can be this easy to get on the inside is a pretty scary thought for organizations and security experts. Once that competitor insider is hired by the company, the competitor organization has the potential to steal sensitive organizational data. Think about it, this is the same process that foreign governments use to plant a spy in a United States agency. Foreign governments know that a key criterion for that person is passing the polygraph, so they will put that person through intensive training so that he or she can pass the polygraph with no problem. This points out a key disadvantage that organizations, and even security experts, have. The attacker knows what process you are going to follow to hire someone and all they have to do is prep someone so they ace that part of the process. Because these attacks are being perpetrated by trusted insiders, you need to understand the damage they can cause; how to build proper measures to prevent the attack; how to minimize the damage; and, at a minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprise, they are concerned with the external attack, forgetting about the damage that an insider can cause.

Since everyone uses different terminology, it is important to define what we mean by insider threat. The easiest way to get a base definition is to break the two words apart. According to www.dictionary.com, insider is defined as "one who has special knowledge or access to confidential information" and threat is defined as "an expression of an intention to inflict pain, injury, evil, or punishment; an indication of impending danger or harm; or one that is regarded as a possible danger." Putting this together, an insider threat is anyone who has special access or knowledge with the intent to cause harm or danger. While no one wants to admit it, it is worth looking around your organization and consulting security experts to see if there are any insiders that are causing harm to the success of your organization.

Advanced Persistent Threat (APT)

2011-01-06T08:33:00.000-08:00

Introduction

APT, formerly known as the Advanced Persistent Threat, is the buzzword that computer security specialists and everyone else is using.Companies are concerned about it, the government is being compromised by it and computer security specialists are using it in every presentation they give.

One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of 3 years ago, you will lose. APT allows organizations and computer security specialists to focus on the real threats that exist today.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization and their computer security specialist be able to fix the appropriate vulnerabilities.

What is APT?

APT is the new way attackers are breaking into systems. APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. The following are the important things to remember:

1) APT focuses on any organization, both government and non-government organizations. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites. When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2) While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.In other words, even a computer security specialist needs to be on their toes.

3) Many organizations make the mistake of thinking of attacks like the weather. There will be some stormy days and there will be some sunny days. However, on the Internet you are always in a storm. In the past, attackers would periodically attack an organization. Today attacks are nonstop. The attackers are persistent,and if an organization or a computer security specialist lets their guard down for any period of time, the chance of a compromise is very high.

4) Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible. Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5) Old school attacks were about giving the victim some visible indication of a compromise. Today it is all about not getting caught. Stealth and being covert are the main goals of today's attacks. APT's goal is to look as close {if not identical} to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.

6) The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore the focus will be all about the data. Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7) Attackers do not just want to get in and leave, they want long term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.
Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode. This is a never ending battlefor computer security specialists. Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months. Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know?

How to Defend Against the APT?

Prevention is ideal, but detection is a must. Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users. Therefore, there is little to prevent. Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, the following are key things organizations and computer security specialists can do to prevent against the threat:

1) Control the user and raise awareness–the general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into clicking a link that they shouldn't. Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2) Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, computer security specialists need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3) Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior,which is tied to damage to an organization.

4) Understand the changing threat – it is hard to defend against something you do not know about. Therefore, the computer security specialists need to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5) Manage the endpoint – while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.
While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

Summary

APT is only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The key theme of dealing with APT is "Know thy system/network." The more an organization and their computer security specialist can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT. The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it. The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner. The good news is, by focusing in on understanding the threats and an organization's vulnerabilities, you can properly defend against the APT.

What are the 20 Critical Controls to Becoming a Cyber Security Expert?

2011-01-06T08:30:00.000-08:00

As a cyber security expert, one of the questions I often receive is what are the twenty critical controls? Details can be found at www.sans.org/cag but the general approach of the controls, and becoming a cyber security expert, is to begin the process of establishing the prioritized baseline of information security measures and controls that will lead to effective security. The consensus effort that has produced the controls has identified 20 specific technical security controls that are viewed as effective at defending against the most common methods of attack. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that are more difficult to be monitored continuously or automatically with current technology and practices; however they are critical to achieving an optimal level of security. Each of the 20 control areas includes multiple individual sub-controls, each specifying actions an organization can take to help improve its Defences and become a cyber security expert.

The 20 critical controls to becoming a cyber security expert are:

1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4: Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
5: Boundary Defense
6: Maintenance and Analysis of Security Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based On Need to Know
10: Continuous Vulnerability Assessment and Remediation
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports, Protocols, and Services
14: Wireless Device Control
15: Data Loss Prevention
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability

Cyber Security Expert Skills Assessment and Training to Fill Gaps

Additionally, the controls are designed to support agencies and organizations that currently have different levels of information security capabilities, but are striving to become a cyber security expert. To help organizations focus on achieving a sound baseline of security and then improve beyond that baseline, certain subcontrols have been categorized as follows:

Quick Wins: These fundamental aspects of information security can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment. It should be noted, however, that a Quick Win does not necessarily mean that these subcontrols provide comprehensive protection against the most critical attacks. If they did provide such protection, there would be no need for any other type of subcontrol. The intent of identifying Quick Win areas is to highlight where security can be improved rapidly, driving you towards becoming a cyber security expert.
Improved Visibility and Attribution: These subcontrols focus on improving the process, architecture, and technical capabilities of organizations so that the organization can monitor their networks and computer systems, gaining better visibility into their IT operations. Attribution is associated with determining which computer systems, and potentially which users, are generating specific events. Such improved visibility and attribution support organizations in detecting attack attempts, locating the points of entry for successful attacks, identifying already-compromised machines, interrupting infiltrated attackers' activities, and gaining information about the sources of an attack. In other words, these controls help to increase an organization's situational awareness of their environment and ability to be a cyber security expert.
Hardened Configuration and Improved Information Security Hygiene: These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems. This type of control focuses on protecting against poor security practices by system administrators and end users that could give an adversary an advantage in attacking target systems. Control guidelines in this category are formulated with the understanding that a well-managed network is typically a much harder target for computer attackers to exploit.
Advanced: These items are designed to further improve the security of an organization beyond the other three categories. Organizations already following all of the other controls should focus on this category.

For additional details on the controls, please go to www.sans.org/cag. Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

2011 Cyber Security Expert Emerging Trends

2011-01-06T08:24:00.000-08:00

It is important to understand the new trends that are occurring amongst cyber security experts to make sure you properly protect your organization. The following are some key trends that you need to be aware of.

1) More focus on Data Correlation

Before adding more devices to a network, perform data correlation across the existing devices first. Networks are becoming so complex that no single device will be able to give enough insight into what is happening across an organization. To better understand both normal and anomalous traffic, data correlation has to be performed across all critical devices. Each device/server has a piece of the puzzle and only by putting all of the pieces together, can organizations understand what is really happening and become cyber security experts.

2) Threat intelligence analysis will become more important

Many of the products in the security industry are becoming more commoditized. Many consoles and network devices are very similar in how they work and operate; the key differentiator is having accurate and up to date threat data. Organizations cannot fix every single risk. Therefore as the risks grow more focus has to be put against the real attack vectors. In order to become a cyber security expert, you have to adapt to the threats.A growing theme is the defense must learn from the offense. Threat must drive the risk calculation so that the proper vulnerabilities can be addressed. Only with properly threat data, can the avenues of exploitation be fixed.

3) Endpoint security becomes more important

A cyber security expert needs to protect all facets of their operation.As more and more devices become portable, the importance of the endpoint becomes more critical. In terms of the data it contains, there is little difference between a server and a laptop. A server might have more data but laptops still have a significant amount of critical information. However the server is on a well protected network and the laptop is usually directly connected to untrusted networks, including wireless. Therefore we need to move beyond traditional endpoint protection and focus on controlling, monitoring and protecting the data on the end points.

4) Focusing in on proactive forensics instead of being reactive

Attacks are so damaging that once an attacker gets in it is too late. In addition, with technologies like virtualization and SCADA controllers, performing reactive forensics is very difficult, if not impossible, for any cyber security expert. Therefore more energy and effort needs to be put against proactively identifying problems and avenues of compromise before major impact is caused to an organization. With the amount of intellectual property that is being stolen and the reputational damage, proactive is the only way to go.

5) Moving beyond signature detection

Signature detection works because the malicious code did not change and it took awhile for large scale exploitation to occur. While signature detection is still effective at catching some attacks, it does not scale to the advanced persistent threat (APT) that continues to occur. Therefore signature detection must be coupled with behavioral analysis to effectively prevent and detect the emerging threats that will continue to occur. Since the new threats are always changing and persistent, only behavior analysis has a chance of being able to deal with the malicious attacks in an effective way.

6) Users will continue to be the target of attack

Everyone likes to focus on the technical nature of recent attacks like Zeus and Aurora, but when you perform root cause analysis, the entry point with most of these sophisticated APT attacks are a user, someone who is not a cyber security expert, clicking on a link they are not suppose to. After that, the attack became very sophisticated and advanced but the entry point with many attacks is traditional social engineering. Advanced spear phishing attacks that trick the user in performing some action they are not suppose to. While you will never get 100% compliance from employees, organizations need to put energy against it because they will understand the short and long term benefit.

7) Shifting from focusing on data encryption to key management

Crypto is the solution of choice for many organizations, however they fail to realize that crypto does not do any good, if the keys are not properly managed and protected. Crypto has quickly become pain killer security because organizations are focused on the algorithms and not the keys. The most robust algorithms in the world are not any good without proper management of the keys. Most data that is stolen is from encrypted databases because the keys are stored directly with the encrypted data.

8) Cloud computing will continue regardless of the security concerns

Even though there are numerous concerns and security issues with cloud, not even a cyber security expert can argue with free. As companies continue to watch the bottom line, more companies are wondering why they are in the data center business. By moving to both public and private clouds can lower costs and overhead; however as with most items, security will not be considered until after there are major problems. Attackers will always focus on high payoff targets. As more companies move to the cloud, the attack methods and vectors will also increase at an exponential rate.

9) New Internet protocols with increase exposure

As the Internet continues to grow and be used for everything, new protocols will continue to emerge. The problem is the traditional model of deploying new protocols, no longer works. In the past, a new protocol was developed and would take a long term to achieve main stream usage. This allowed the problems to be worked out and security to be properly implemented. Today when a new protocol comes out it is used so quickly, the problems are only identified after there is wide spread use, which quickly leads to widespread attacks.

10) Integrated/embedded security devices

Not only is technology becoming integrated into almost every component, more functionality is being moved to the hardware level. Beyond the obvious implication of having more targets to go over, embedded devices create a bigger problem for a cyber security expert. It is much hard to patch hardware than it is software. If software has a problem, you can run a patch. If hardware has a vulnerability it will take no longer to fix and increase the attack surface. Smart grid is a good example of items 9 and 10 combined together.

Security Experts, Are We Missing the Point?

2011-01-06T08:20:00.000-08:00

Recently, between citizens and security experts, there has been a lot of talk about nuclear weapons, terrorism and peace treaties. At the end of the day, the question remains how do we protect a country and its citizens from attack? If that is really the purpose of the summits, the meetings and Washington, why isn't cyber security part of the discussion - more importantly the insider threat? They deserve to be.Security experts will agree that nuclear weapons or biological warfare is much more damaging and could cause greater loss of life, but the likelihood of such an attack is low. When it comes to a cyber attack, the impact is high, the likelihood is high and the ease in which the attack can be performed is high. National security experts manage and mitigate risk, and therefore more attention should be given to these cyber weapons of mass destruction. At the top of the agenda should be better protecting critical information from the insider. Why there have been a lot of very technical, sophisticated attacks recently. We sometimes forget that the entry point for most of these attacks is an insider clicking a link or going to a site that they should not have gone to.

When a security expert evaluates a threat there are many aspects (too many to mention in this posting) that need to be evaluated. Some of the primary ones are clearly impact, likelihood and ease of which the attack can be performed. Using this as a basis, things become very interesting. While the impact of a nuclear or biological terrorist attack is clearly very high, the likelihood is more in the medium level and the ease of which it could be performed is medium to low. When it comes to cyber attack, the impact is high, the likelihood is high and the ease is high. Therefore since national security expertsmanage and mitigate risk, shouldn't more attention be paid to the cyber weapons of mass destruction and controlling access to our critical information?

If we start to peel back the layers, things become even more interesting based on the overall exposure and scope of the problem. Physical weapons have to cross international boundaries and there are checkpointsmanned by security experts that have to be cleared. The three important points to remember are 1) you cannot clearly cross international boundaries with physical weapons without going through physical checkpoints; 2) weapons are illegal in most countries so clear possession of them could get someone in significant trouble; 3) it is relatively difficult to obtain these weapons.

When you start to apply this to cyber and insider threat, things start to fall apart very quickly. On the Internet there are no international boundaries monitored by security experts. An attacker/insider can seamlessly cross boundaries without even knowing they are entering systems located in a different country. Not only are the tools easy (say free) to obtain, but in some countries possessing and use of the tools are not illegal.
There is a lot of legislation being proposed to cover cyber, but are we focusing in on the correct areas. Are we looking at controlling the boundaries and in/out of countries and working on universal laws? Having different laws for different countries makes sense when there are clear boundaries and physical separation, but when connectivity is seamless that model falls apart. While changing laws can take a long time to perform, there are things organizations can do today to help protect the critical infrastructure from the accidental or deliberate insider. First, identify and clearly control and manage ALL boundaries in and out of your organization. For critical information, air gaps or complete separation should be looked at to better control the boundaries. Focusing on wanted trusted insiders have access to the information. Second, focus on critical information. Why would your organization be targeted and what information would cause the greatest impact? Who inside the organizations has access to this information and can be targeted? Third, the entry point for most attacks is the end users. Focus time and energy on protecting and controlling the endpoint, especially untrusted endpoints. Always remember that while it is difficult to stop stupid, with proper controls and focus on the insider, you can limit or minimize the impact of stupid.

We are going to have to deal with this problem one way or another. Option one is to be proactive and fix the problem before it is too late. Option two is to wait for there to be a major problem and fix it in a reactive manner. Personally, I vote for option one.