Sep
06

2014

Five Steps to Critical Penetration Analysis

Penetration tests (pentests) have gained recognition as a legitimate approach to identifying and then in theory, mitigating discovered weaknesses. The pentest industry even has a magazine (PenTest Magazine) and there are some tools out there that you, as an industrial control systems (ICS) cyber security professional, ought to have in your tool set like the PWN Phone or Metasploit modules from Digital Bond. With the various tools of the trade you will undoubtedly discover at least one vulnerability in your network and with that information in-hand, you may then get the resources to fix that problem. Read more »

Sep
03

2014

RIPE brochure available for download

Our new RIPE brochure, highlighting the characteristics and benefits of the RIPE Cyber Security and Robustness Program, is available for download (PDF):

English language version

German language version

Aug
11

2014

Attacking critical infrastructure with chainsaws and rifles

As reported by the German Frankfurter Allgemeine Zeitung, unidentified attackers had broken into a cable duct of Germany’s telecommunications provider Kabel Deutschland (a Vodafone subsidiary) and cut fiber optic cables, thereby causing Internet, TV and telephony blackout for parts of Berlin. The attack is noteworthy because according to the reporting, the attackers acted professionally and knew exactly where and how to strike in order to cause significant damage, bypassing physical access control and alarms. We don’t know if they actually used chainsaws to cut the cables, but they obviously didn’t need zero-day exploits. Read more »

Aug
07

2014

Nationalize Cyber Security for Critical Infrastructure: Seven Points to Ponder

We have touched on the subject of regulation before in the blog post Nothing to Fear but Fear (i.e., Regulation) Itself. It is a complicated issue with multiple stakeholders (unfortunately, some of those stakeholders never get a seat at the table). We should have a reasoned debate over nationalizing cyber security for critical infrastructure and that debate ought to include more voices than just corporations (I know, corporations are supposed to be people too. I will believe that when a corporation goes to jail for breaking the law). Although the perspective herein is U.S.-centric, the issue is clearly not confined to any geographic location.   Read more »

Aug
06

2014

Quote of the day — On system understanding (or the lack thereof)

“No one realized that the pumps that delivered fuel to the emergency generators were electric.”

Angel Feliciano
Representative of Verizon, explaining why Verizon’s backup power failed during the August 13, 2003 blackout causing disruption to the 911 service

Aug
05

2014

The Trouble with Threat Thinking

The world seems to be fixated on the cyber threat. There are exceedingly elaborate methods used to capture, characterize, and share the signatures of emerging threats in real-time. In an effort to stay one step ahead of the threat (or at least not too far behind) are public and private efforts that include machine-to-machine exchanges of threat information. We have STIX and TAXII, we have threat analytics, threat collaboration, and even threat managed services. Our ability to identify threat actors has advanced to the point where the federal government has issued arrest warrants for citizens of other countries. Going after the threat actors does seem like a good use of all this threat information. However, the question remains as to just how much this helps the defenders of critical infrastructure. Read more »

Aug
01

2014

Quote of the day — on the non-technical reasons for cyber insecurity

“The underlying reason that cybersecurity is so poorly done is not that there is a crying need for more research and development, or that it is impossible to secure these systems. It is that we fail as a society to apply the lessons of the past. Indeed we fail to even review the past and seek to understand how it applies to the present and future.”

Fred Cohen

Jul
29

2014

Quote of the day — On cyber security market success, or the lack thereof

“Market success of technologies and products is usually driven by what they enable, not by what they restrict or prevent. Restrictive solutions, such as those in environmental protection, safety, or security, require a strong policy or even legislation to achieve widespread adoption. Nowhere is this more the case than in cyber, where it must appear illogical for customers to pay extra for restrictions of functionality that they expect to only become more powerful and cheaper at the same time.”

Ralph Langner
Recent Blackphone customer

Jul
28

2014

Five Reasons You Don’t Need Better Cyber Security

Admittedly, these are based on anecdotal evidence, but I suspect they are very close to the major reasons used to deflect concerns about increasing the security posture of cyber-physical systems.

  1. Using complex risk calculations, it can be shown that the risk is really really small.
  2. Even if your company gets attacked once, the probability of another similar attack is less than lightning striking the same place twice.
  3. Your networks are better protected than those other guys and everybody knows that hackers go after easy targets first.
  4. It’s just silly to invest in security expecting some kind of return. Security is just a big black hole that you dump money into if you have too much.
  5. If one of the above reasons don’t work for you, then there is one fail-safe reason; you just don’t want to. If you don’t want to do something, one reason is as good as another.

Perry Pederson

 

 

Jul
22

2014

“Surviving on a Diet of Poisoned Fruit”

Poisoned fruit is an apt metaphor used by the Honorable Richard Danzig in the title of his latest report for all things cyber that today we can’t live without, yet bring ever increasing risks. The Center for a New American Security (CNAS) sponsored an event showcasing Danzig’s report and to discuss proposals for U.S. government responses to cyber insecurity. Panelists included: Mike Walker (DARPA), Melissa Hathaway (President of Hathaway Global Strategies), Gary McGraw (CTO, Cigital), and Ben FitzGerald (CNAS) who also moderated the session. Introductory comments where provided by Dan Kaufman (Director of the Information Innovation Office, DARPA). The panel discussion was followed by Richard Danzig who responded to comments by the panel as well as the audience.

Read more »

Older posts «

» Newer posts