Had an interesting conversation this week with the CISO of a large bank. They were interested in moving towards ISO-27001 certification and we were talking about the challenges of conducting a “meaningful” risk assessment in such a large and distributed organization.

As we were talking about the merits of information and process centric risk assessment using ISO-27005 (as opposed to asset centric) a bemused smile spread across his face. He pointed out that with the number of acquisitions the bank had made over the last few years that he really wasn’t certain about all of the relevant data that was critical to the risk assessment.

As larger organizations look to comply with “information” specific laws relating to PII and PHI or look to align themselves with security frameworks like ISO-27001 or HITRUST being able to identify sensitive data in both structured and unstructured forms is essential.

I suspect that the next few years will be good to companies like Varonis and Gobal IDs that produce tools that simplify the process of automatically identifying critical data and support organizations’ governance requirements.

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.

Salem County, New Jersey Bank Account Hacked

Last year, Monmouth County’s bank account was infected with ZeuS Malware. It has happened again, but this time to Salem County.

“The county will also be setting up a new secure computer solely for the use of bank transactions. This computer will have no email, no public Internet access, no disk drive or USB ports.”

It’s nice to see Salem County thinking outside the box by setting up the new secure computer. Without drives or ports there is no way for a person to plug in directly with a Live CD or USB. But will that still stop ZeuS?

Banks, Get Your WiFi Tested

Not long ago we shared how during audits, the FDIC will be looking to make sure banks have tested their WLAN Security.  Since then, even more customers have been pleased that we notified them of the addition.

Now, Info Security Magazine has published an article describing just a few of the attacks that could be done by a malicious hacker with access to a bank’s WiFi. One of the more common attacks would be Man-In-The-Middle attacks, which Pivot Point Security offers as part of our Internal Penetration Testing services.

Knowing the damage that can be caused by someone with bad intention should provide enough reason to have a WLAN tested. So if your bank has WiFi and has yet to test its security, please give us a call to see how we can help.

Google Wallet Pinned By A Vulnerability

If you haven’t heard of Google Wallet, it’s a tool that enables a person make financial transactions using a mobile device like a smart phone or tablet. Google Wallet uses near field communication (NFC) to send the data, a technology that has been a topic among IT security professionals.

However, this vulnerability is not found in the NFC technology. Instead, it is the PIN set by the user. Using a new app, Wallet Cracker, the PIN can be revealed without a single invalid attempt. View the video below to see how easy it is.

The app and hack was done while the Google phone was rooted, which Google does not recommend. Although Google does not currently have a remedy for the vulnerability, the Wallet Cracker developer did offer some advice:

• Don’t root the phone
• Enable lock screens such as face unlock, pattern, PIN, password – rather than just slide
• Disable USB debugging
• Enable full disk encryption
• Keep device software updated and use only official software

Financial IT Security

Arguably, beyond the government itself, no industry has a greater impact on the health of our economy than financial services. And nothing has a greater impact on a financial entity than to lose the confidence and trust of its customers. Your Financial IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can help your Financial Organization to know you’re secure and prove you’re compliant. See how we can help.

Don’t miss out on the Ethical Hacker Roundup

The series is published on Fridays and we are open to your link suggestions. If you would like to submit an article, for reach out to us through email.

Be sure to catch the weekly roundups by subscribing to the Pivot Point Security blog via RSS or email.

So it may seem odd that I’m about to profess admiration for some new guidance, namely the Smart Grid Interoperability Panel (SGIP) “Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security”.

The original three volumes of 7628 cover almost 700 pages and were one of the main drivers of my original blog. In fact, I almost didn’t look at the new document after it was sent by a colleague, except that his note that “I think you will actually like this one!” had me intrigued. Well, he was right.

There are two main things that have me optimistic about the document:

• It focuses on security assessment rather than good practices for security guidelines for implementation. Having been part of comprehensive multi-vendor Smart Grid Security Assessment projects, I know from experience that the approaches taken from various vendors differed dramatically, which notably impacted the amount of assurance that the Utility was receiving. This is good for Utilities in that a standardized approach simplifies the process of selecting a vendor, validating the security assessment work effort, interpreting the security assessment report, and remediating the issues identified. This is good for Smart Grid Security assessment vendors (like us) for the same exact reasons.
• It leverages a well-vetted approach — NIST 800-53A. This includes everything from scaling the assessment activities based on risk classification to referencing the same NIST 800-53 families and controls to defining the appropriate activities to assess each control. The document could have been called “Using NIST800-53A to Assess Smart Grid Cyber Security.” Rather than adding to the confusion, this approach clarifies it, in that we are beginning to see the harmonization of NIST with Smart Grid Security.

The only odd thing about this new document is how often and far it goes towards specifically stating that it is not a NIST document (Yet). It is, however, a valuable adjunct to the NIST guidance. I highly recommend it to anyone charged with enforcing Smart Grid Security.

Another threat is the lack of enforceable Smart Grid security standards for the power distribution grids; the only enforceable standard being circulated in the industry today, is the NERC CIP standard, which only applies to generation and transmission. There’s no shortage of great guidelines, such as, NISTIR 7628, NIST 800-82 (Industrial Control Systems Security), NIST 800-82 (Industrial Control Systems Security), Cyber Assessment Methods for SCADA Security, Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment, and Security Framework for Control System Data Classification and Protection just to name a few, but the lack of enforceable standards leaves utilities not knowing where to go and confused about which guidelines are appropriate for their needs.

This wait-and-see approach, while Smart Grid technologies are being deployed in the grid, will only make interoperability among these technologies more difficult, as vendors are adopting their own security approaches and proprietary technologies.

What should you do?

Instead of taking the wait-and-see approach and continue deploying insecure devices in your infrastructure, while waiting to see if your vendor decides to implement security into their devices, go “back to basics”.

Identify assets, systems, networks, people and functions that are critical to your business; this information will be important for a risk assessment approach to security. Due to these doubtful economic times, utilities need to be diligent in the way they invest their money, and a risk-based approach is not only diligent, but provides a framework for continuous improvement to enhance protection of critical systems.

The best way to perform your first assessment or verify your current results is to engage a third-party, a consulting company that provides vulnerability and penetration test assessment services, with experience in the utility industry. (Utility experience is one requirement that you should make sure you put on your RFPs.)

Once you have your results, go back to your risk framework and prioritize based on which identified risks will have the most impact to the business if realized. This priority list, along with an educated assessment and justification, will provide management a strategic security plan to improve your security posture and implement a continuous improvement program.

Once your program has been approved, the process of developing and implementing effective protective measures can be broken down into three steps:

• Determining needs;
• Analyze your priority list and what tools and programs are needed.
• Design your security program;
• Design your protective program approach.
• Develop your continuous improvement program;
• Make sure you implement a repeatable strategy.

Last but not least, “measure.” Implementing repeatable processes requires that you measure their effectiveness and continue to improve them.

These steps will assist your organization in improving security while the industry works to find a standard approach that everyone in the energy industry can emulate. Meanwhile, remember this:

Identify – Assess – Prioritize – Implement – Measure

What is your security approach? I would like to hear from you, please leave a comment.

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.

Real Smart Grid Security Problems

A question was asked on Quora regarding Smart Grid security. The question specifically asks what the real Smart Grid security problems are versus those that make headlines.

One problem that has been addressed but not finalized is a specific standard for Smart Grid technology. In a previously published article, John stated “the problem wasn’t a lack of guidance, rather it was an overabundance of guidance;” Currently there are overlapping and ambiguous standards; NIST, AMI-SEC, NERC, ISO 27002.

Although this is just one of the many Smart Grid security problems that the Energy industry faces, it’s important to have standards for companies to follow.

The State of IT Security of Energy Companies

In the article from AutomationWorld, Grant Gerke discusses findings from a whitepaper created by The Ponemon Institute. While it is not a surprise that 71% of the C-level executes do not fully understand security initiatives within Energy organizations, we thought the statistic was worth sharing.

The Power Grid is Vulnerable

This article follows up to the statistics above as an inspector from the Energy Department has found what he calls “shortcomings” of utility companies.

“Without a formal risk assessment and associated mitigation strategy, threats and weaknesses may go unidentified and expose the . . . systems to an unacceptable level of risk”

There were just under one hundreds grants from the US Government to utility companies, but not all the recipients have taken steps towards mitigating cyber security risks. Rushing to develop and deploy Smart Grid technology could be a drastic mistake if these risks are not realized and reduced.

New York Energy Data Breach

Iberdrola USA, the owner of, New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E), had a data breach last month. The database that was accessed contains almost 2 million customer accounts, including personal information (e.g., Social Security numbers). NYSEG and RG&E have been working with law enforcement and forensic consultants in attempt to identify who, what and how. Precautionary measures have been implemented (contacting customers) but there is no evidence that the data was used. In the press release by the New York Public Service Commission, the status of whether the breach was malicious is unknown.

Securing the Grid

Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can help your Energy Company align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.

Don’t miss out on the Ethical Hacker Roundup

The series is published on Fridays and we are open to your link suggestions. If you would like to submit an article, for reach out to us through email.

Be sure to catch the weekly roundups by subscribing to the Pivot Point Security blog via RSS or email.

So is it your obligation when assessing a third-party to assess their third-party relationships? Needless to say, this could grow even more challenging as a third-party might employ a multitude of third parties, some of whom may also employ third parties. Assessing all these entities is both impractical and arguably not necessary.

The approach Pivot Point Security took on behalf of our client was to assess the third-party, including the controls that they need to have in place to manage their third parties. There are a couple of primary controls in the ISO 27002 control set intended to address third-party risk:

• A.6.2 External Party Security -
  • Identification of Risks Related to External Parties
  • Addressing Security When Dealing with Vendors/Customers/Partners
  • Addressing Security in Third Party Agreements
• A.10.2 Third Party Service Delivery Management -
  • Service Delivery Control
  • Monitoring & Review of Third Party Services
  • Managing Changes to Third Party Services

So managing sixth-party risk is not about managing sixth-party risk directly – rather it’s about managing risk indirectly by ensuring that your third-party is managing its third-party risk.

On reading of the Zappos breach, I suspected I had a Zappos account that I had used to buy a “hard-to-find” pair of shoes on behalf of my wife … so I fired up my password manager and…. confirmed that to be the case. I was initially relieved when I realized that I had used a password that was unique to that purchase rather than a generic password that I occasionally re-use for low risk sites (e.g., a onetime purchase with no credit card retention). My self-satisfaction was shortly replaced with queasiness when I began to wonder; how lazy had I been over the years? What are the implications of a malicious individual getting hold of this generic password?

I exported my password manager data to an excel spreadsheet and began my analysis:

• Over 400 passwords for various websites gathered over the last 10 years or so (eye-opening)
• 35 Accounts shared the same generic passwords (concerning)
• 11 Accounts used easily guessable variation of the generic password (even more concerning)

On deeper analysis it got more concerning. While most of the sites were “low risk” and personal in nature, (e.g., Opentable, MovieTickets, CaringBridge) I realized that I had used the same password for several corporate accounts that could have notably negative impacts if compromised (e.g., Twitter, Expedia, InfoSecIsland). While my mistake would have largely been limited to someone posting inappropriate content that would have had a negative public relations impact on Pivot Point Security, I began to wonder; what if it happened to our Book Keeper who has access to our online banking and accounting systems?

Needless to say, I’m in the process of cleaning up old passwords. More importantly I’m in the process of updating our corporate password policy to address this risk (e.g., Do not use the same password for Company accounts as non-company access such as personal ISP account, banking and utility or shopping accounts.). I’m still wrestling with ideas on how to monitor/validate compliance with this new addition to our Password Policy.

I’m open to suggestions …

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.

Popular Web Host Hacked

Dreamhost is one of the most popular web hosting companies on the market. They host websites and SaaS for a variety of industries. If your SaaS service is hosted on a server where you do not have physical control over the box, what controls are you putting in place to mitigate the information security risk? Is your customers’ information vulnerable?

In the case of Dreamhost, they handled the situation by emailing all customers of the incident. The email states what happened, what was impacted and described the steps for changing appropriate passwords.

Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all Dreamhost customers and their users.

What would you have done differently? Have you discussed security controls with your hosting provider? Is your hosting provider the only third-party that your company works with or is there a third-party to the third-party? John recently presented on the subject of evolving security threats and interesting ways that organizations are leveraging new approaches to evolve with the threats.

Symantec advises customers to stop using pcAnywhere

Symantec may have been thinking of simplicity when bundling pcAnywhere into their offerings. However, by including pcAnywhere in their Altiris endpoint management product, it left countless companies open to attack.

Marc Silverman, Sr. Security Consultant at Pivot Point Security, described the situation as “purchasing a door with a door inside that they can use their own key to get in.”

When Symantec was made aware of the source code theft, they instructed all users to shut down and disable the application completely. They announced the security patches to resolve the three vulnerabilities in pcAnywhere 12.5 for Windows.

For businesses needing help mitigating the risk a technical whitepaper, Symantec pcAnywhere Security Recommendation, was published which describes the vulnerabilities and best practices security recommendations.

Securely Storing Corporate Passwords

There is a discussion on LinkedIn on the topic of securing passwords. Timing is everything – as it has been proven countless times. Just last week John published an article on how Windex now plays a role in his Mobile Device Security Policy. He has also been working on an article about the use of personal passwords in a corporate environment and the security implications of the combination.

Some questions to think about:

• How do you store your corporate passwords? Are you using a free application, a paid application or an excel spreadsheet?
• If you’re using a spreadsheet, are you password protecting it? Is it stored in a cloud?
• Are you using your browser’s built-in password storage feature?
• Why did you choose your method of password storage?

Please be on the lookout for John’s upcoming article titled Personal Passwords Endanger Corporate Security.

Privacy, Breaches & Hacks in Technology

In Network World’s article, 15 worst Internet privacy scandals of all time, they discuss incidents that have been entered into what they call the Online Privacy Hall of Shame.

In the article, they mention some of the most popular incidents (e.g., Sony’s PlayStation Network), but also others like the privacy complaints against Google’s Street View. Since releasing Street View in 2007, Google has been faced with fines and audits. Social media giant, Facebook, is usually at the top of privacy discussions as their privacy policy is often questioned.

Among the list is Apple due to their iPhone tracking criticism. Apple never made it public that they were collecting and storing iPhone user’s location information. After the public was made aware of the situation, Apple released a patch to remove the “glitch”.

The list goes on, with mention of Disney, GM, News Corp and many others.

Don’t miss out on the Ethical Hacker Roundup

The series is published on Fridays and we are open to your link suggestions. If you would like to submit an article, for reach out to us through email.

Be sure to catch the weekly roundups by subscribing to the Pivot Point Security blog via RSS or email.

Zappos has been known in the eCommerce world for their transparency with both employees and customers. They have one of the best customer service reputations of all businesses. However, even the highest man on the totem pole can succumb to an attack from a driven malicious hacker.

Over 24 million customers potentially had information stolen from the databases. In the email to employees, Hsieg clearly states that the database storing customers’ critical credit card and other payment data were not affected or accessed. Even so, the following were possibly compromised:

• Name
• E-mail address
• Billing and shipping addresses
• Phone number
• Last four digits of credit card number (standard information on receipts)
• Cryptographically scrambled password (no clear text passwords)

Why do I think Zappos handled the data breach well?

Hsieg is direct with his email to employees and shares the additional customer notification email.

“To: Zappos Employees
Subject: Important – Security

Dear Zappos Employees -

Please set aside 20 minutes to carefully read this entire email.

We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky…”

The email goes on with the full explanation. If you are interested in reading the email in its entirety, please visit the Zappos blog. This brings me to my second point. The email was also posted on their website, making important company news transparent to customers and possible future customers.

In the email to its customers, they separated the news into segments:

• The bad news – explains to the customer what had happened
• The better news – explains to the customer that critical credit card information was not stolen
• Security precautions – explains that they are recommending that the customer should change their password and that they will never ask for personal information via email or phone. If you are suspicious of an email, log in to the website directly to see if there is an alert or message on your account.
• Please create a new password – shared simple instructions on how to change your password and an additional email address specifically for questions related to the process.

Hsieg goes on to say how one single data breach can damage the reputation of a very popular company, and how the security of critical credit card information is extremely important in the situation.

“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”

In conclusion, I believe Zappos did a fantastic job responding to the incident. They notified employees and customers, and are working with law enforcement to investigate the data breach. As a business should be, they are concerned about their reputation but more importantly, about the security of their customers’ information.

Zappos is providing further training to its employees to assist any customer who has a problem changing passwords. I look forward to seeing how they continue to handle the incident.

Scott

That lunch took place about a year ago and the CIO’s plan is approaching fruition. His idea was to ISO-27001 certify his Private Cloud Offering (we were tickled that he chose us and our ISO-27001 Roadmap to guide his journey). In doing so he felt that he could use the certificate as a means of validating the security of the significant investment the County was making to the Board of Freeholders and the County Administrator. Being able to demonstrate that critical information security risks pertaining to Public Safety Systems, Financial Systems, and constituent/employee Personally Identifiable and Health Information and the like were effectively managed in a manner consistent with their direction was critical to the success of the initiative. Equally important was gaining “buy-in” from the various “potential” consumers of the cloud services including Township police departments, CFO’s, fire departments, and clinics. He is using the 27001 Certificate effort (and eventual certificate) to provide assurance to these third parties that their data will be secured in a manner consistent with an internationally recognized data standard and in accordance with all relevant laws and regulations.

Interestingly over the last month or so I have had very similar conversations (e.g., using ISO 27001 to prove Private Cloud/Shared Service initiatives are secure/complaint) with a global entertainment/media company and a global pharmaceutical. The decentralized nature of both companies allows the varying business units to select the best “vendor” for the IT services they are looking to “outsource”. That vendor may be a traditional vendor (e.g., Telehouse for hosting) or it may be their internal Private Cloud hosting service. This requirement to compete for business means they may be held to the same vendor risk management processes as a traditional party. Accordingly, being able to prove that they are secure and compliant is integral to their success – and ISO 27001 is the best mechanism, especially when considering the global nature of their businesses.

It seems like the time-frame between “thought leadership” and a “prevailing good practice” is shortening … sort of a get on board or get left behind. To put it succinctly, ISO 27001 may just be the “Field of Dreams” for future IT security!