Malware

SPOTLIGHT ON SECURITY

Iranian Cyberattack on American Dam Viewed As Rarity

Just days before Christmas, a rare event occurred: the report of a successful intrusion into America’s infrastructure by overseas hackers.

Although the event — penetration of the control system of a dam 20 miles from New York City — was more than two years old, it just made it into the public light last month.

Cloaking such incidents in secrecy is standard operating procedure for industries that use control systems — systems used to control the power grid, factories, pipelines, bridges and dams.

“We have seen cyberincidents that are not disclosed because companies are worried about the damage they could do to their brand name,” said Barak Perelman, CEO ofIndegy.

Air Gap Myth

Many companies providing infrastructure services believe they can keep their control systems safe from attack by “air gapping” them, or keeping them segregated from the public Internet, he told TechNewsWorld.

“I can tell you that 50 percent of the facilities we visit say they’re air-gapped, but zero percent are actually air-gapped,” Perelman said.

“There’s always some connection to the Internet,” he said. “There’s always that technician who doesn’t want to drive to a facility at all hours of the night for emergencies and plugs in a modem so he can connect from home.”

The air-gap myth creates a false sense of security, and that leads to inadequate protection of control systems.

“If a hacker gets into one of those industrial networks, he can do whatever he wants to do in that network,” Perelman said.

In the New York case, the Iranians hackers responsible for the incident did not damage the control systems. “The fact that they didn’t was a matter of choice and not capability,” he observed.

Red Button

That’s not a reason to breathe easily, however. Many times nation-states mounting an infrastructure attack will leave behind a hidden Christmas present.

w”They leave behind a ‘red button’ capability,” Perelman explained. “If they need that capability in the future for either negotiation or an act of aggression, they can press the button and cause physical damage.”

He added that industrial systems that cling to legacy hardware make a hacker’s job easier.

Outside the world of industrial software, a company like Microsoft will patch its products every month and roll out a new operating system every two years. With Windows 10, it will patch and upgrade its software even faster than that through auto-updating.

“When you go to an industrial network, you usually will see the same industrial controllers that were installed in the ’90s,” Perelman said.

“Those controllers were designed when security wasn’t in anyone’s state of mind,” he added.

Chief Data Officer

Chief data officers have been around for less than a decade, but with the increased role of data in contributing to many a corporation’s bottom line, they’ve been growing in popularity. In fact,Gartner is predicting that by 2019, 90 percent of global enterprises will have a CDO.

In addition to wrangling data, another factor may be spurring the creation of CDOs: security.

Because of the proliferation of data breaches, corporate executives are trying to figure out who within their organizations is best equipped to address that problem. Typically, they turn to CIOs, but CIOs can’t do the job alone. They need help.

“That help isn’t going to come from the CSO or CISO because those officers are focused on information systems. They’re focused on firewalls, antivirus and other things to keep hackers out,” said Todd Feinman, CEO ofIdentity Finder.

“Data is a different layer,” he told TechNewsWorld. “It’s not about preventing hackers from breaking in.”

CIOs are becoming resigned to the fact that their systems will be penetrated. If that’s the case, it raises the question, “How do I minimize the damage when it happens?”

The CDO can answer that question by identifying ways to protect data.

Data Cop

For example, the CDO can monitor who has access to data and who should have access to data. While general access controls typically are handled by people with “security” in their title, CDOs are in a better position to determine granular access to data because they understand the data and who really needs access to it.

The same is true for obsolete data. “If I have a file that no one has used in the last five years, why am I keeping it around?” Feinman asked. “By keeping it around, it becomes a liability. It’s something sitting around waiting to be stolen.”

The CDO is also in a better position to impose a data regimen that can reduce the risk of high-value information being compromised.

For example, during the Sony Pictures Entertainment data breach in 2014, hackers stole thousands of Social Security numbers in hundreds of files.

“A chief data officer might have looked at that and said, ‘Our footprint for the quantity of SSNs that we store in multiple locations is creating a very high likelihood that if we ever get broken into, they’re going to get stolen,'” Feinman said.

“All SSNs should be in one place,” he continued. “Then there’s maybe a 1 percent chance that if we get broken into, someone will find the Social Security numbers.”

iOS 9.2 Security

If you’re an iPhone user, have you upgraded to iOS 9.2 yet? If not — and you’re concerned about security — you should not procrastinate any longer.

The new version of iOS has more than 50 security patches. Although the security flaws the patches address vary in severity, you will have to install all of them at once.

“The iOS platform is unique when comparing to it other major software vendors such as Microsoft in that you cannot pick and choose which security updates to apply,” noted Travis Smith, a senior security research engineer atTripwire.

“You either must apply all or none, meaning that to the end user, there is no single security fix that is more important than the others,” he told TechNewsWorld.

That’s not such a bad thing, when you consider how challenging it has been to exploit iOS in the past and black-hat behavior once a batch of patches is released.

“Given the fact that iOS devices are notoriously difficult to successfully exploit, it’s wise to consider any known vulnerability as important,” Smith said.

“With the announcement of these vulnerabilities, bad guys are able to hone in their efforts to areas of the device which are vulnerable,” he added.

Breach Diary

  • Dec. 27. Quincy Credit Union suspends ATM and debit card access to its banking system after discovering an ATM skimming scam that affected at least 670 customers.
  • Dec. 28. Security researchers discover a database containing information on 191 million voters and accessible to the public for free on the Internet. Making such information public could violate laws in some states.
  • Dec. 29. British Columbia reaches a cash settlement for an undisclosed amount in a wrongful dismissal lawsuit two health researchers filed. They were among eight fired following a data breach at a health research agency.
  • Dec. 30. Microsoft reveals it has adopted a policy to notify its email customers when it suspects their accounts are under attack from a nation-state.
  • Dec. 30. Hillsides, a child welfare agency, notifies nearly 1,000 clients and staff that their personal information is at risk after it was discovered that a former employee on five occasions sent unencrypted files containing the information to email addresses unaffiliated with Hillsides.
  • Dec. 31. Keller Rohrback files a class-action lawsuit against VTech Electronics North America over a breach that exposed the data of more than 10 million parents, legal guardians and minor children.
  • Dec. 31. BBC websites were unavailable for several hours in what appears to be a distributed denial-of-service attack. A group calling itself New World Hacking later claimed responsibility for the attack.
  • Dec. 31. CCH Group reports IRS exempts from taxation identity prevention protection services given employees or others before a data breach occurs.
  • Dec. 31. The State Department releases less than 65 percent of the 4,800 messages from Hillary Clinton’s private email server previously ordered released by a federal judge. Of the emails released, 8.6 percent were redacted in whole or in part.
  • Jan. 1. Network security company Cyberoam confirms a data breach of its systems. A security researcher reported 100 million records from Cyberoam were being offered for sale on the dark Web for 100 bitcoins (US$43,000).

Upcoming Security Events

  • Jan. 14. PrivacyCon. Constitution Center, 400 7th St. SW, Washington, D.C. Sponsored by Federal Trade Commission. Free.
  • Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
  • Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.
  • Jan. 21. From Malicious to Unintentional — Combating Insider Threats. 1:30 p.m. ET. Webinar sponsored by MeriTalk , DLT and Symantec. Free with registration.
  • Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
  • Jan. 26. Cyber Security: The Business View. 11 a.m. ET. Dark Reading webinar. Free with registration.
  • Jan. 28. State of the Phish — A 360-Degree View. 1 p.m. ET. Webinar sponsored sponsored by Wombat Security Technologies. Free with registration.
  • Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 16. Architecting the Holy Grail of Network Security. 1 p.m. ET. Webinar sponsored by Spikes Security. Free with registration.
  • March 18. Gartner Identity and Access Management Summit. London, UK. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels