Friday, February 27, 2015

Webinar: An Introduction to Cybersecurity

On November 26, 2014, the National Cybersecurity Institute (NCI) hosted a webinar entitled “An Introduction to Cybersecurity”.
The webinar introduced participants to the basic concepts of cyber security and provided them with an overview of the evolving and dynamic field of cybersecurity. This webinar was the first in a series of 8 webinars discussing the fundamentals of cybersecurity (Cybersecurity 101).
See webinar in full screen

Wednesday, July 9, 2014

So you think your cell phones are safe do you? These days for most of you your smartphone is your life, but I can tell you that your smartphones are not impervious to hacks when connected to a network—cellular or wi-fi. In this video, you will see a host of real-time phone hacks to tackle the question of mobile phone security.  Oh, just to let you now....they are NOT too secure!

Tuesday, July 8, 2014

Hackers have the time and desire to hack anything.  they do it for fun.  In this blog entry I would like to introduce you to Information security researcher Mathew Solnik.  In the video he gives a first-hand demonstration on how to remotely send commands to a car and remotely tell it what to do. A hacker, or even you, can do this for very little cost and effort not that Solnik spent a little over a grand and about a month of work to to reverse-engineer a car's computer system to make it ready for a takeover. Wait until you see how simple this can be.

Sunday, June 22, 2014

Chinese-Made Smartphone Comes With Spyware, Surprise, Surprise...NOT!

I know this comes as no surprise to savvy folks like you, but G Data, a german Cyber Security firm conducted a test of the Star N9500, a cheap Android-powered smartphone made in China, ships with more than just an 8-megapixel camera and quad-core processor. According to G Data, it has discovered malicious software—which could be used to track the phone’s user and manipulate the device remotely—embedded in the device.
G Data, said it discovered a so-called Trojan-horse malware, called Usupay.D, in the phone’s Google Play app store.
It said it fielded several complaints from buyers of the phone and ran tests on a newly purchased device. During testing, it was discovered that the spyware on the smartphone sends phone identification and specification data to an unidentified server located in China.
G Data said the malware could also operate phone functions remotely, like turning on the camera, though it said it found no evidence that had happened in the phone it studied.
It also said that sending data to a Chinese served doesn’t necessarily suggest an attacker targeting the phone is based there.
G Data could not say how the malware ended up on the phone. 
The N9500, similar to the best-selling Samsung Galaxy S4, is a popular low-cost smartphone, found on for between £85 ($141) for a new 5.0 inch version to £119.89 for a new 5.7 inch HD version.
The malicious software is pre-installed in the so-called firmware, the software that comes with the phone and operates its systems. It can therefore not simply be deleted like a regular app installed from a third-party app store.
The malware program itself was identified by Kaspersky Lab in March 2013. G Data says its analysis is the first time Usupay.D has been discovered bundled with a mobile phone.

Saturday, June 21, 2014

Creating Good IT Security Metrics is vitally Important to Security Programs

One of the biggest problems I see in most security programs is a lack of metrics that REALLY measure the effectiveness of the program.  IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. 

It is essential that whomever is leading your cyber security program chooses and designs effective measurement strategies and addresses the data requirements of those strategies. 

There is a Security Process Management Framework that allows for the production of analytical strategies for security metrics data.  I will discuss that in my next blog.  Using this framwork, youcan take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time. 

On any account, here are examples of security measurement ideas that will allow you to have effective measurements of your program.
  • Define security metrics as a manageable amount of usable data
  • Design effective security metrics
  • Understand quantitative and qualitative data, data sources, and collection and normalization methods
  • Implement a programmable approach to security using the Security Process Management Framework
  • Analyze security metrics data using quantitative and qualitative methods
  • Design a security measurement project for operational analysis of security metrics
  • Measure security operations, compliance, cost and value, and people, organizations, and culture
  • Manage groups of security measurement projects using the Security Improvement Program
  • Apply organizational learning methods to security metrics
I will expound on these, and other concepts in upcoming posts.