Systems

Issues with the Met's information systems have contributed to failures to protect children at risk of sexual exploitation, according to a report by Her Majesty's Inspectorate of Constabularies (HMIC).

Published today, the 113-page report [PDF] following HMIC's inspection into national child protection, reported how London's Metropolitan Police Service (MPS) has had issues with its IT systems that are contributing to failures to protect vulnerable children.

Police staff told HMIC that information on the Met's Crime Recording Information System (CRIS), which holds data regarding children's circumstances and vulnerability, was “not easy to locate” and “complicated” while the system's usage was “neither universally adhered to nor universally understood”.

This is particularly a concern with regards to the force's risk assessments, according to HMIC, which said that in many incidents the cops failed to reflect the intelligence their systems held or simply made inaccurate assessments.

HMIC reported that some cases were graded as being of only “medium risk of harm on the basis that the children in question were 'streetwise and able to take care of themselves'.”

In one such incident, the report went on to explain, a 13-year-old girl who went missing overnight was assessed as only being at medium risk because she was “streetwise” despite the Met's communications centre receiving a report that the child was “alone and unsafe in a house with three men”.

Connectivity issues with the Met's IT systems meant this information was “in an email inbox in the MPS for 14 hours before the force acted on it.”

HMIC stated that such findings “in relation to the flagging and retrieval from the police computer systems of relevant information about child protection issues are a particular concern.”

IT explained that the difficulty of locating information on the current force IT systems risks cases being dealt with in isolation is leading to potential intelligence gaps.

The report concluded: "The lack of connection between the MPS IT systems, databases and spreadsheets used to record such analyses exacerbates this problem. As a result, much of the information on victims, offenders and risk is kept in isolated pockets across the force. This contrasts sharply with the free movement of people (both victims and offenders) around the capital." ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads


The Register - Security

A report made available this week by the U.S. Government Accountability Office (GAO) shows that the Food and Drug Administration (FDA) needs to address some serious cybersecurity weaknesses that expose industry and public health data.

An audit conducted by the GAO between February 2015 and August 2016 revealed several problems that put the confidentiality, integrity, and availability of the FDA’s systems at risk.

The GAO’s analysis targeted seven of the FDA’s 80 systems. The machines covered by the audit receive and process sensitive drug information and are essential to the agency’s mission. Since they have a Federal Information Processing Standard of moderate or high impact, if the systems or their information is compromised, it could have a serious or catastrophic impact on the organization.

A total of 87 weaknesses have been identified by GAO, including failure to protect network boundaries, identify and authenticate users, restrict user permissions, encrypt sensitive data, monitor system activity, and conduct physical security reviews.

For instance, the FDA’s internal network was not isolated from the network of the contractor in charge of the agency’s public website. The internal network was also accessible from one of the organization’s untrusted networks.

Another example refers to the FDA’s failure to implement strong password controls, including passwords that remained unchanged for several years, weak credentials and default settings.

As for authorization-related concerns, the GAO discovered that hundreds and even thousands of user accounts had unnecessary or uncontrolled access to file shares. The audit also revealed that sensitive data, including passwords, were not properly encrypted.

The FDA did not properly audit and monitor its systems, which could allow malicious actors to remain undetected for extended periods of time. The GAO pointed out that the agency did not always retain audit logs, and it failed to preserve evidence related to a 2013 security breach that resulted in an external attacker gaining access to sensitive user account information.

“FDA has taken steps to safeguard its systems that receive, process, and maintain sensitive data by, for example, implementing policies and procedures for controlling access to and securely configuring those systems. However, a significant number of weaknesses remain in technical controls — including access controls, change controls, and patch management — that jeopardize the confidentiality, integrity, and availability of its systems,” the GAO said in its report.

One of the causes of weak security controls, according to the GAO, is the lack of a properly implemented agency-wide information security program as required by federal laws. These laws require government organizations to implement risk assessments, incident response procedures, regular testing of security controls, reviews and updates for security policies and procedures, vulnerability patching mechanisms, and security training.

The GAO has made over a dozen recommendations for the implementation of an agency-wide information security program and 166 recommendations on addressing specific problems.

Related: Huge US Facial Recognition Database Flawed

Related: DHS's Einstein Security System Has Limited Capabilities

Related: Internet Connectivity Could Expose Aircraft Systems to Cyberattacks

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

securing industrial control systems

While the former has received many update through the years (this newer version is v8.0), the whitepaper is a “modernized” version of a document that has been first released in 2009.

Both tools are offered for free, in the hope that they will be widely used.

Cyber Security Evaluation Tool

The Cyber Security Evaluation Tool is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate their industrial control system and information technology network security practices.

securing industrial control systems

It does so by asking questions about system components, architectures, operational policies and procedures, and so on. The questions will depend on which government and industry cybersecurity standards the operators want their systems to adhere to.

“When the questionnaires are completed, CSET provides a dashboard of charts showing areas of strength and weakness, as well as a prioritized list of recommendations for increasing the site’s cybersecurity posture. CSET includes solutions, common practices, compensating actions, and component enhancements or additions,” ICS-CERT explains.

The team also offers onsite training and guidance to asset owners (in the US) who might encounter problems while using CSET. This help also comes at no cost. For instructions on how to download and install the tool, go here.

The whitepaper

ICS-CERT works to reduce risks within and across all critical infrastructure sectors – chemical, emergency services, energy, critical manufacturing, healthcare, IT, transportation, and so on.

This newest report will be helpful for organizations in each of those sectors, and concentrates on defense-in-depth strategies and a holistic approach to security.

“The concept of Defense in Depth is not new — many organizations already employ many of the Defense-in-Depth measures discussed in this document within their information technology (IT) infrastructures; however, they do not necessarily apply it to their ICS operations,” the experts who penned the report noted.

“In the past, most organizations did not see a need to do so. Legacy ICSs used obscure protocols and were largely considered ‘hack proof’ because of their separation from IT and because of having physical protection measures in place. But with the convergence of IT and ICS architectures, recent high-profile intrusions have highlighted the potential risk to control systems.”

Another problem that the defense-in-depth approach can minimize is the fact that there is a distinct lack of ICS-specific security solutions.

The report includes an overview of the current state of ICS cybersecurity, ICS defense-in-depth strategies, an overview of possible attacks against critical infrastructures, and recommendations for securing ICS. The latter includes adopting a proactive security model, key security countermeasures, and a variety of available services and tools (CSET is among them).


Help Net Security

Keep the faith: A vote for voting systems Credit: iStockphoto

I’ve been having a little back-and-forth with InfoWorld’s Roger Grimes about security vulnerabilities in the U.S. election system. This was sparked by Roger’s post last week, “Voting machines are still too easy to hack.” The title says it all, but as Roger notes, the risk is mitigated by the fact that voting machines are not connected to the internet. You need physical access to voting machines in order to hack them.

This immediately led me to wonder about the vulnerability of systems that are connected to the internet, particularly in light of recent reports that Russian hackers had breached voter registration systems in Illinois and Arizona. What if hackers deleted registered voters wholesale? Some states allow you to register online or through motor-voter initiatives, so the state wouldn’t necessarily have a paper record, nor would many voters. If they weren’t on their designated polling station’s list, they could cast a provisional ballot, but that vote would be invalidated without the state having its own record of registration. Right?

[ An InfoWorld exclusive: Go inside a security operations center. | Voting machines are still too easy to hack. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Roger assured me that campaigns receive registered voter lists for mailings and other voter contacts. “These lists are often printed out and in paper form even in the election offices, so they can be used for quick comparisons against any previous or new list,” he said. “There are enough safe checks in the system that any widespread election list deletion would be caught fairly easily and quickly.”

That reassured me -- until I read a recent piece in the Washington Post about how Russia could wreak “electoral disaster.” Apparently Russia has already performed this sort of mischief in the Ukraine. “Rigging” or even attempting to rig the U.S. election in favor of either presidential candidate could destroy faith in the outcome, particularly those who have little idea how the system works.

"Faith" is the key word here. As IDG News Service’s Grant Gross reported in a recent news item, the United States is investigating what appear to be Russian attempts to “spread disinformation and hack into U.S. political systems in an effort to undermine confidence in the upcoming election.” In a world where conspiracy theories fly across the internet as fast as miscreants can type them, this could be truly corrosive. It’s not necessarily about throwing the election to one candidate or another -- it’s about doing enough damage to create a toxic atmosphere of uncertainty.

To use a practical analogy, I imagine all of us have worked for companies at one time or another when repeated outages or mistakes completely undermine faith in the IT department. Can’t they do anything right? They’re trashing the brand and destroying the business! Even normal iterative processes can give stakeholders outside the inner workings of a complex system “jitters,” as InfoWorld’s James Kobielus observes in his post today.

In hindsight, although it felt good at the time, I regret the ranting and raving I did in those situations when those things went badly wrong. Very rarely do we encounter situations in which an entire organization is utterly incompetent and needs to be fired en masse. Sure, certain individuals might well need to be handed their walking papers, but from the outside it’s hard to know who. Most people try their best. They make mistakes -- and in many cases learn from them. If you lose faith in their capabilities entirely without knowing the details, the problem might be yours, not theirs.

Hacking the voting system is only partly about security vulnerabilities and defenses. As James says, “confidence is a psychological and even sociological phenomenon.” Yes, we need to identify weaknesses and batten down the hatches in the face of potential attacks. But the voting system, like any system viewed from the outside, can never be completely transparent. Faith shouldn’t be blind, but neither should it be lazily, cynically abandoned.

Previous Post

For real this time? Oracle, VMware talk up the cloud

For quite a while now, Rapid7 researchers Tod Beardsley and Deral Heiland have been looking for vulnerabilities in various Network Management Systems (NMSs).

With the help of independent researcher Matthew Kienow, they found over a dozen vulnerabilities affecting nine different NMS products: Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG, and Spiceworks Desktop.

What are Network Management Systems?

Network Management Systems are used for discovering, managing and monitoring various devices on a network (e.g. routers, switches, desktops, printers, etc.). They usually use the Simple Network Management Protocol (SNMP) to format and exchange management messages, and it’s exactly through this protocol that these systems can be attacked.

“These systems are attractive targets for attackers looking to learn more about new environments. A compromised NMS can serve as a treasure map, leading attackers to the most valuable — and perhaps non-obvious — targets, such as the printer that is responsible for payroll runs, or HR’s central server containing personally identifiable information on the employee base,” the researchers noted.

“Besides, why spend time and risk detection by scanning the network from a compromised system controlled by the attacker, when one could just piggyback on a working NMS that’s already designed to monitor the entire network population?”

The vulnerabilities

The vulnerabilities they found can all be exploited through three distinct attack vectors:

  • XSS attacks over SNMP agent-provided data
  • XSS attacks over SNMP trap alert messages (which are sent by SNMP agents to notify the network manager of any status change)
  • Format string processing on the NMS web management console (practically all modern NMSs are managed through them).

The first type of attack can be mounted by introducing a new device on the network. The NMS “discovers” it, and identifies it via SNMP data supplied by it. This data is displayed in the systems’ web-based console and can trigger an XSS attack. This type of attack requires a local attacker to be able to add a malicious device to the network.

The second type can be mounted by injecting Flash into easily spoofed SNMP trap messages that will be delivered to the management console, allowing an XSS attack string to be embedded in it. The attacker must occupy a position on the network.

XSS attack on Network Management Systems over SNMP trap alert messages

The third one can also be launched via spoofed and specially crafted trap alert messages.

For more details about each of the vulnerabilities, consult this blog post.

The good news is that all the found flaws have already been patched, and users of the aforementioned products can download security updates with the fixes.


Help Net Security

A new type of stealth malware called USB Thief can reportedly infect air-gapped systems without leaving any signs...

behind. How does USB Thief work and what, if anything, can enterprises do to mitigate this attack?

USB Thief is a new type of malware discovered by ESET. Little is known about the malware because only part of it has been identified and analyzed. ESET explains how USB Thief uses multiple stages in its attacks on air-gapped systems, has the ability to encrypt itself and limits where it can run to prevent analysis. The target of the attack appears to be stealing data from the infected systems.

ESET stated in its blog post that USB Thief leaves no evidence when it has been used. The USB malware does not save any files on the local system. Enterprises have several options to mitigate this attack. They should assume targeted malware will bypass whatever antimalware tools in place and have defense-in-depth controls to monitor and investigate potentially suspicious activity. Windows has built-in functionality for logging in the event log each time a USB device is inserted into a system. An enterprise could then monitor the logs for any time a USB device is inserted and respond accordingly. Windows has functionality to record any time a file is accessed on the system and log that event. Windows can log all files executed on the local system, but it is unclear how the USB Thief malware would show up in the event log when the dynamic link library (DLL) was injected into the targeted executable. All of this data would need to be monitored and analyzed by the enterprise, so that if potentially suspicious events were logged, the enterprise could send an incident response team or investigate the system for suspicious activity.

For systems in high security areas, USB drives can be disabled or have the capability to execute files disabled, which could also prevent this attack. But disabling USB drives might not be possible on general use systems because of the limitations on functionality. Some host-based intrusion detection systems, antimalware, whitelisting or other third-party endpoint security tools also have similar functionality for logging or controlling access to USB drives and files accessed on the system.

Next Steps

Find out the best practices for implementing an air-gapped enterprise network

Learn how to mitigate data theft from USB devices

Read about the new features on Windows Defender Advanced Threat Protection

This was first published in August 2016

Dig Deeper on Network Intrusion Detection (IDS)

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Q&A from Nick Lewis

Is the BREACH attack update a threat to Gmail security?

The BREACH attack has been updated to perform faster data theft. Expert Nick Lewis explains the differences in this attack and the threat level for ...continue reading

How does the new Stagefright exploit Metaphor conduct an ASLR bypass?

A new Stagefright exploit called Metaphor has been released. Expert Nick Lewis explains its ability to do an ASLR bypass, and what it means for ...continue reading

How does Locky ransomware use DGA in its attacks?

Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.


SearchSecurity: Security Wire Daily News

MICROS, the point-of-sale payment systems vendor owned by Oracle, has suffered a data breach, and there are indicators that point to the infamous Carbanak (aka Anunak) cybercriminal gang being the culprit.

MICROS breach

MICROS is one of the biggest PoS vendors in the world – its PoS systems are used by many companies in the retail and hospitality industry, such as Ikea, BurgerKing, Starbucks, Hilton, Hyatt, Accor Hotels, and many others.

According to Brian Krebs‘s sources, the breach started with a single infected system in Oracle’s network, and the attackers hopped from there to other systems, including a customer support portal that Oracle uses to help MICROS customers remotely troubleshoot problems with their PoS systems.

Apparently, this portal was found to be communicating with a server that has previously been tied to the Carbanak gang.

While the extent of the breach is still unknown, Oracle has asked MICROS customers to change the password they use for the affected portal, as well as the passwords for any account that was used by a MICROS representative to access their on-premises systems.

The company said that its corporate network, cloud and service offerings were not compromised in the breach, and that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

Still, all that means little to MICROS customers, who are – hopefully – checking their PoS systems for installed malware right now.

As it’s still unknown how far back the breach goes, it seems possible that the Hilton, Starwood, and Hyatt PoS system compromises in 2015 and early 2016 were made possible by the MICROS breach.


Help Net Security

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Apple Launches Bug Bounty with Maximum $ 200,000 Reward

August 4, 2016 , 8:30 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am


Threatpost | The first stop for security news