infosec

Plans are afoot in Westminster to burn even more taxpayers' cash by launching a new cyber-security startup accelerator in Cheltenham.

The accelerator will be the umpteenth vehicle for funnelling money to muppets since the coalition government came to power.

Other accelerators have included a military technology free-money haus opened in July, and Vince Cable's hipster tech creche with the Urban Innovation Centre last year.

Today, with bells and whistles, the Department for Culture, Media and Sport declared that it has teamed up with “GCHQ and the nation’s top tech start-ups to develop new technologies aimed at protecting the UK from cyber attacks.”

There are several groups which aim to protect the UK from cyber attacks, not least among them the UK's signals intelligence and surveillance agency, which receives billions in funding from the Single Intelligence Account budget every year.

According to a recent report from the National Audit Office, there are 12 separate teams and organisations who are in some way responsible for infosec in British government departments and whom the Cabinet Office is utterly failing to co-ordinate.

DCMS said:

The tie-up is the first step in the development of two world-leading innovation centres as part of the Government’s £1.9bn National Cyber Security Programme.

The facility will also fast-track new firms into the booming cyber security sector which contributed £1.8bn in exports to the UK economy last year and grew from £17.6bn in 2014 to almost £22bn in 2015.

The accelerator itself will be operated by Wayra UK, part of Telefónica Open Future, and will offer start-ups the opportunity to access “GCHQ's world-class personnel and technological expertise to allow them to expand capability, improve ideas and devise cutting-edge products to outpace current and emerging threats.”

Applicants can contact Wayra here to be part of the programme which includes "insights to Government procurement processes, IP management, export controls and information assurance architecture." ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

The Cabinet Office is failing to coordinate the UK's government departments' efforts to protect their information according to a damning report by the National Audit Office.

The NAO found that the Cabinet Office failed in its duty and ambition to coordinate and lead government departments’ efforts in protecting such information.

The Cabinet Office has “tried to take a more strategic role in offering support and guidance to central government departments,” the NAO report found. “However, senior-level governance remains complex and unclear and, until recently, a wide array of central teams have been involved in information assurance and protecting information, sometimes offering overlapping and contradictory advice.”

Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless. In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments, in part because they do not always collect or share such data. The Cabinet Office has recently collected some data on security costs, though it believes that actual costs are "several times" the reported figure of £300 million.

As a result, NAO stated that GCHQ dealt with 200 “cyber national security incidents” per month in 2015, double the number of attacks it had addressed in 2014, though the result of these attacks has not been reported.

The report certainly suggests that departments need to get their own houses in order before they start opening up access to even more of citizens' data, as per the porn-blocking Digital Economy Bill, with 8,995 data breaches in the 17 largest government departments in 2014-15.

Government departments are being challenged by the increasing need to share data with other public bodies, with delivery partners, service users, and citizens. According to the NAO, recent years’ “cuts to departmental budgets and staff numbers, and increasing demands form citizens for online public services, have changed the way government collects, stores and manages information”.

At the same time “the threat of electronic data loss from cyber crime, espionage and accidental disclosure has risen considerably. Alongside this new challenge, reporting to the Information Commissioner’s Office (ICO) by public bodies shows that the loss of paper records remains significant.”

Efforts have complicated by the lack of coordination by the 12 separate teams and organisations which play a role in governmental infosec, including: GDS; GCHQ; CESG, CERT-UK; and the UK National Authority for Counter Eavesdropping (UKNACE).

That this work hasn’t been coordinated “has meant that a large number of bodies continue to have overlapping mandates and activities” according to the NAO, which noted how last November the then-Chancellor of the Exchequer noted this acronym-heavy problem and the need to “address the alphabet soup of agencies involved in protecting Britain in cyberspace.”

As part of that address, Osborne announced the launch of a new National Cyber Security Centre (NCSC) which will act as a hub for sharing best practices in security between public and private sectors, and will tackle cyber incident response.

Speaking to The Register earlier this month, the former head of GCHQ Sir David Omand said: "Next month, the new National Cyber Security Centre starts its work, under the Director of GCHQ, drawing on the technical expertise of GCHQ staff in operating in cyberspace, a further major development in harnessing the skills of the intelligence community in protecting the public."

NAO's head, Amyas Morse, said: “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.” ®

Sponsored: IBM FlashSystem V9000 product guide


The Register - Security

Information security (infosec) is a set of strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. Infosec responsibilities include establishing a set of business processes that will protect information assets regardless of how the information is formatted or whether it is in transit, is being processed or is at rest in storage.

Infosec programs are built around the core objectives of the CIA triad: maintaining the confidentiality, integrity and availability of IT systems and business data. These objectives ensure that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data (integrity) and guarantee the data can be accessed by authorized parties when requested (availability).

Many large enterprises employ a dedicated security group to implement and maintain the organization's infosec program. Typically, this group is led by a chief information security officer. The security group is generally responsible for conducting risk management, a process through which vulnerabilities and threats to information assets are continuously assessed, and the appropriate protective controls are decided on and applied. The value of an organization lies within its information -- its security is critical for business operations, as well as retaining credibility and earning the trust of clients.

Threats to sensitive and private information come in many different forms, such as malware and phishing attacks, identity theft and ransomware. To deter attackers and mitigate vulnerabilities at various points, multiple security controls are implemented and coordinated as part of a layered defense in depth strategy. This should minimize the impact of an attack. To be prepared for a security breach, security groups should have an incident response plan (IRP) in place. This should allow them to contain and limit the damage, remove the cause and apply updated defense controls.

Information security processes and policies typically involve physical and digital security measures to protect data from unauthorized access, use, replication or destruction. These measures can include mantraps, encryption key management, network intrusion detection systems, password policies and regulatory compliance. A security audit may be conducted to evaluate the organization's ability to maintain secure systems against a set of established criteria.

Jobs within the information security field vary in their titles, but some common designations include IT chief security officer (CSO), chief information security officer (CISO), security engineer, information security analyst, security systems administrator and IT security consultant.

This was last updated in September 2016

Continue Reading About information security (infosec)

  • Learn about the link between information security and business success
  • Refer to and learn from past security models
  • Find out about the Certified Information Security Manager certification
  • Is network growth causing issues in infosec?
  • Continuous monitoring can improve the effectiveness of infosec programs

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

Analysis A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout.

Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical. Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation.

MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit. The more the shares fell, the higher MedSec's profits would be.

Muddy duly published details of the flaws earlier today, on Thursday, and sent this doom-laden alert to investors:

Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.

We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.

St Jude's share price fell 4.4 per cent to $ 77.50.

MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner.

"We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog.

"Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products."

Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed. If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case.

Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit. Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the flaws, which could help depress the share price further and thus boost his profits.

"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed.

But based on his own company's report today into the St Jude devices, that seems unlikely. The two attack vectors mentioned include a battery draining attack and one that could crash a pacemaker, but both require the attacker to get access to the device's home control unit for about an hour.

The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security. It estimates the faults will take years to rectify.

Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec.

The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong. So it seems they publicized that some flaws were merely present instead and cashed in on short selling.

Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ®

Sponsored: 2016 Cyberthreat defense report


The Register - Security

Black Hat It’s Black Hat time and that means the Pwnie Awards ceremony, honoring the highlights and bottom feeders of the IT security industry.

The ceremony - which hands out gold and technicolored toy ponies that would make a brony salivate - was held on Wednesday night at the Black Hat convention in Las Vegas. The judges that included Dark Tangent (aka the show’s founder Jeff Moss), HD Moore, car hackers Charlie Miller and Chris Valasek, and Dino Dai Zovi.

The event was standing-room only, a stark comparison to last year’s event, which was sparsely attended. Almost all of the winners didn’t turn up for their prizes, apart from those finding bugs.

In the latter category the best server-side bug find went to David Barksdale, Jordan Gruskovnjak, and Alex Wheeler for the Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow. The best client-side bug went to Fermin Serna for the glibc getaddrinfo stack-based buffer overflow. Both teams had people there to collect their prizes.

But the real fun in the Pwnies comes from taking the piss out of the worst in the industry, and - unsurprisingly – vendors didn’t turn up for those. Western Digital won the lamest vendor response award after dismissing concerns that it encryption keys are trivially easy to hack with a we have “been in a dialogue” with researchers over the issue.

And remember Badlock? The Windows and Samba file server flaw that was supposedly so important the discoverers set up a special website for it? It won the most overhyped bug award by a landslide when it turned out the flaw was more about marketing than actual danger.

In amongst the fun there were heartfelt tributes. Peiter Zatko, aka Mudge, won the lifetime achievement award to warm applause while Google Project Zero researcher Tavis Ormandy won the Pwnie for Epic Achievement for never letting us down.

On the fun side, Katie Moussouris missed out on one award, despite convincing both Microsoft and the US Department of Defence to institute bug bounty programs. But she received her gold pony for Best Song for her performance at KiwiCon. A superb bug hunter certainly, but a singer, well - not so much. ®

Youtube Video

Sponsored: Global DDoS threat landscape report


The Register - Security