Cloud Security

 

 

https://adminsm.asisonline.org/Pages/Blockchain-Buzz.aspxBlockchain BuzzGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-07-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​The year was 1960. And Charles W. Bachman was unsatisfied with computers. They were supposed to revolutionize the way companies did business but accessing vital information and making changes was a time consuming—and frustrating—process.</p><p>Bachman, then a software engineer at General Electric, and his team came up with a solution to the problem. He created the Integrated Data Store (IDS), the first direct-access database management system, which would allow businesses to link data sets and make changes to them with greater ease.</p><p>IDS would change the future of computing, and databases and their management systems are now used in millions of applications around the world for inventory control, employment records, and transactions.</p><p>"IDS and its derivative systems are still in use today, supporting a thousand mainframe installations," Bachman wrote in an article for IEEE Annals of the History of Computing in October 2009.</p><p>Around the same time that Bachman wrote his article, another piece of technology was invented that is now changing computing in a similar way: the blockchain.</p><p>"A blockchain is similar to a database, but rather than being stored in one place and governed by one company or one set of people who run it and administer it, a blockchain is simultaneously run by thousands—or millions—of people around the world," says Michael Perklin, chief information security officer at ShapeShift.io and board member of the CryptoCurrency Certification Consortium and The Bitcoin Foundation. "There is no real, geographic home."</p><p>And blockchain technology is poised for a bright future. Research and advisory firm Gartner predicts that the business value-add of blockchain will reach $176 billion by 2025 and be more than $3.1 trillion by 2030.</p><p>What is a blockchain? In October 2008, Satoshi Nakamoto created the cryptocurrency known as Bitcoin. To keep track of Bitcoin transactions and verify them, Nakamoto also created another technology—a blockchain. </p><p>A blockchain is a database system that allows peers to validate changes made to the system, rather than relying on central authority. One of the easiest ways to explain how a blockchain works is to discuss it in terms of a transaction. </p><p>For example, Alice requests that Bob pay her 15 Bitcoins. Her request is broadcast to a network of computers—called nodes. Using cryptography, the nodes make sure the transaction is valid. If it's valid, a new block is added to existing blocks associated with Alice's account to create a chain. Built into these blocks are digital hashes, which make it evident if anyone attempts to alter a block in the chain. </p><p>"With a database, it's possible to falsify a record without leaving any trace because, by default, most databases don't have these tamper-evident capabilities—but blockchains do," Perklin says. "So, if I try to alter my balance and say I have 1,000 Bitcoins. I send this update to the world through the replication mechanism; as every other computer in the world starts receiving this message from me, they take a look at the tamper-evident seal on it, and they realize immediately that this is not a valid update and ignore it." </p><p>Most other systems, including databases, lack this validation factor.</p><p>"By default, databases don't do any checking at all because it's assumed that you have access to that database," Perklin says. "You have an account, you have permission to make a change, it assumed that change is valid, and if you have permission to make it, it'll make it for you."</p><p>By contrast, there are no user accounts associated with blockchains. Nodes on the network act as validators, conducting integrity checks to make sure that false information is not added to the blockchain. And this validation process happens within nanoseconds. </p><p>Beyond validation, there are other benefits to blockchain technology. For instance, it is more resilient than relying on a central authority.</p><p>"The data simultaneously exists on thousands or millions of computers around the world at the same time," Perklin explains. "If one server were to go down, the data is still available to everyone else in the world. By contrast, if something like PayPal were to go offline, nobody can use PayPal until PayPal comes back online."</p><p>If one server, or several went out due to a massive Internet outage, a blockchain would continue to work using servers located elsewhere. </p><p>How are they used? Blockchains were initially created to facilitate Bitcoin and have also been used to support other cryptocurrencies. Since then, blockchains have been applied to other projects but the technology is still in the early phases of adoption. </p><p>One use case is for document validation. Users can employ block-chain technology to verify the integrity of a document to ensure that it has not be altered. </p><p>For instance, publicly traded companies release certain financial records to the public every month. If a malicious insider who stole from the company wanted to alter the documents to cover up the crime, the insider could do that after the chief financial officer prepared the documents.</p><p>Using software that uses blockchain technology, a chief financial officer could add a time stamp to the prepared financials that would appear in the blockchain. </p><p>"This adds a tamper-evident seal that lives in the…blockchain that can attest that at this time and on this day, this was the exact state of the financial affairs," Perklin says. "Now a few days later when bad guys take these financials, alter them, and publish them to the world, if somebody wanted to check the validity they can compare it to what the CFO put in…they will see it has been altered."</p><p>This type of timestamping authenticator can also be used to verify video recordings, Perklin says, such as a recording of a police officer using excessive force against a protestor.</p><p>"A few months later when they are in court and the recorder is accused of photoshopping the video, they can say, 'No, this time stamp proves that this existed on the day at exactly 3:30 in the afternoon—the time this really happened,'" he explains.</p><p>These are just some initial use cases for blockchain and more will come, but one area Perklin says he does not think blockchain technology will be used for is anything involving private information.</p><p>"The nature of blockchain is that all the information is public, and every one of those thousands or millions of computers around the world, they can read all the information, so they can validate all the information," Perklin adds. "Now I've lost my privacy. Anything that has a privacy component is not a good fit for a blockchain application."</p><p>Others are also skeptical of the potential security use for blockchain technology, including Ron Rivest, institute professor at the Massachusetts Institute of Technology and one of the inventors of the RSA algorithm.</p><p>Speaking at the RSA Conference in San Francisco in April 2018, Rivest said that blockchains are being viewed as "security pixie dust" with developers promising that any application will "be made better by blockchain properties."</p><p>This is not accurate, Rivest said, citing the example of using blockchain technology for election security in the United States. </p><p>"In voting, it would be a bad idea because of the private ballot—and it needs to be centralized," he said, adding that the centralized system is needed to ensure that votes are counted but that the identity of who cast them would remain private.</p><p>"Blockchains have limited security properties that may or may not fit what you need," Rivest said.</p><p>The U.S. Securities and Exchange Commission (SEC) has also stepped up recently to crack down on companies that are adding blockchain to their name to raise their stock price.</p><p>"The SEC is looking closely at the disclosures of public companies that shift their business models to capitalize on the perceived promise of distributed ledger technology and whether the disclosures comply with the securities laws, particularly in the case of an offering," said SEC Chairman Jay Clayton in a statement. </p><p>All of this is part of a technology that's just in its beginning phases, similar to what the world saw with the introduction of computers and databases. </p><p>"It took decades for people to apply interesting features to that dumb wire between boxes," Perklin says. "I'm sure that in 20 years, we're going to look back at all the different ways companies started using blockchain and think...this was the future." ​</p><p> </p>

Cloud Security

 

 

https://adminsm.asisonline.org/Pages/Blockchain-Buzz.aspx2018-07-01T04:00:00ZBlockchain Buzz
https://adminsm.asisonline.org/Pages/On-Premise-vs-the-Cloud.aspx2018-05-25T04:00:00ZOn-Premise vs the Cloud
https://adminsm.asisonline.org/Pages/Book-Review---Mastering-Bitcoin.aspx2018-05-01T04:00:00ZBook Review: Mastering Bitcoin
https://adminsm.asisonline.org/Pages/The-Problem-with-Data-.aspx2017-09-27T04:00:00ZThe Problem with Data
https://adminsm.asisonline.org/Pages/An-Education-Connection.aspx2017-09-01T04:00:00ZAn Education Connection
https://adminsm.asisonline.org/Pages/Book-Review---Network-Interview.aspx2017-08-01T04:00:00ZBook Review: Network Video
https://adminsm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://adminsm.asisonline.org/Pages/Seminar-Sneak-Peek---Moving-to-the-Cloud-Repositions-Security.aspx2016-08-16T04:00:00ZSeminar Sneak Peek: Moving to the Cloud Repositions Security
https://adminsm.asisonline.org/Pages/New-Data-Rules.aspx2016-08-01T04:00:00ZNew Data Rules
https://adminsm.asisonline.org/Pages/Operating-Blind.aspx2016-03-01T05:00:00ZOperating Blind
https://adminsm.asisonline.org/Pages/Privacy-Shield-Is-Here--What-That-Means-For-Your-Company.aspx2016-02-09T05:00:00ZPrivacy Shield Is Here—What This Means For Your Company
https://adminsm.asisonline.org/Pages/Book-Review---Big-Data.aspx2016-02-01T05:00:00ZBook Review: Big Data
https://adminsm.asisonline.org/Pages/On-the-Record.aspx2016-01-14T05:00:00ZOn the Record
https://adminsm.asisonline.org/Pages/Conducir-hacia-el-desastre.aspx2015-07-08T04:00:00ZConducir hacia el desastre
https://adminsm.asisonline.org/Pages/Building-Cyber-Awareness.aspx2015-05-18T04:00:00ZBuilding Cyber Awareness
https://adminsm.asisonline.org/Pages/Passing-the-Biometrics-Test.aspx2015-03-01T05:00:00ZPassing the Biometrics Test
https://adminsm.asisonline.org/Pages/Chain-Reaction.aspx2015-01-01T05:00:00ZChain Reaction
https://adminsm.asisonline.org/Pages/the-password-problem.aspx2014-12-01T05:00:00ZThe Password Problem
https://adminsm.asisonline.org/Pages/Cyber-Crusaders.aspx2014-11-01T04:00:00ZCyber Crusaders
https://adminsm.asisonline.org/Pages/QA-What-are-Today's-Biggest-Malware-Challenges.aspx2014-10-01T04:00:00ZQ&A: What Are Today's Biggest Malware Challenges?

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/Building-Cyber-Awareness.aspxBuilding Cyber Awareness<p>​<span style="line-height:1.5em;">Early in 2009, while working the night shift as a contract security guard, Jesse William McGraw infiltrated more than 14 computers at the North Central Medical Plaza in Dallas, Texas. McGraw, who is the self-proclaimed leader of the hacking group Electronik Tribulation Army, installed a program on the computers that would allow him to remotely access them to launch DDoS (distributed denial of service) attacks on rival hacking organizations’ websites.</span></p><p>Among the computers McGraw hacked into were a nurses’ station computer—which had access to patient information protected by the Health Insurance Portability and Accountability Act (HIPAA)—and a heating, ventilation, and air conditioning computer that controlled the airflow to floors used by the hospital’s surgery center. Over several months in 2009, McGraw further compromised the hospital’s network by installing malicious code and removing security features, making the network even more vulnerable to cyberattacks.</p><p>To document his work, McGraw made a video and audio recording of his “botnet infiltration.” Set to the theme of Mission Impossible, McGraw described his actions: accessing an office and a computer without authorization, inserting a CD containing the 0phcrack program into the computer to bypass security, and inserting a removable storage device, which he claimed contained a malicious code or program. McGraw then posted the video to the Internet, asking other hackers to aid him in conducting a “massive DDoS” on July 4, 2009. </p><p>His online actions attracted the attention of the FBI, which, five days before his planned attack, arrested him on two charges of transmitting malicious code. McGraw pled guilty to the charges and was sentenced to 110 months in federal prison in 2011.</p><p>An attack similar to McGraw’s is even more worrisome now as companies are increasingly using building systems and access control systems that are connected to computers. Between 2011 and 2014, the number of cyber incidents reported to the U.S. Department of Homeland Security (DHS) that involved industrial control systems grew from 140 to 243 incidents—an increase of 74 percent. </p><p>Yet many private and public entities aren’t addressing the cyber risks associated with these systems. In fact, according to a Government Accountability Office (GAO) report, DHS is not assessing or addressing cyber risks to building and access control systems at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) at all.</p><p>“DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue,” the GAO found in its recent report. “By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, [the National Protection and Programs Directorate] have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.”</p><p>Within most federal facilities there are building control systems that monitor and control building operations such as elevators, electrical power, heating, ventilation, and air conditioning. Many of these systems are connected to each other and to the Internet, making them extremely vulnerable to cyberattacks that could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or occupants, the GAO reports. For instance, a cyberattack could allow people to gain unauthorized access to facilities, damage temperature-sensitive equipment, and provide access to information systems.</p><p>And perpetrators aren’t just limited to outside actors; they can also come from insider threats. “Insider threats—which can include disgruntled employees, contractors, or other persons abusing their positions of trust—also represent a significant threat to building and access control systems, given their access to and knowledge of these systems,” the report explains.</p><p>Under the Homeland Security Act of 2002, DHS is required to protect federal facilities as well as people inside those facilities. As part of that responsibility, DHS’s National Protection and Programs Directorate (NPPD) is in charge of strengthening the security and resilience of U.S. physical and cyber-critical infrastructure against terrorist attacks, cyber events, natural disaster, or other catastrophic incidents.</p><p>Yet as a department, DHS lacks a strategy that defines the problem and identifies the roles and responsibilities for cyber risk to building and access control systems, according to the GAO. Also, the report notes that DHS has failed to analyze the necessary resources or identify a methodology for assessing such risk. </p><p>Additionally, the Interagency Security Committee (ISC), the body responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyberthreats to building and access control systems into its Design-Basis Threat report. The report aims to set standards based on leading security practices for all nonmilitary federal facilities to “ensure that agencies have effective physical security programs in place.”</p><p>However, cybersecurity has not been added to the report because “recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first,” according to the GAO report. But the office has reported that “incorporating the cyber threat to building and access control systems in ISC’s Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk.”</p><p>Furthermore, the General Services Administration (GSA) has not “fully assessed” the risk of a cyberattack on building control systems consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. According to the GAO’s report, GSA has assessed security controls of building control systems, but has not fully assessed the elements of risk, such as threats, vulnerabilities, and consequences.</p><p>“For example, five of the 20 reports [GAO] reviewed showed that GSA assessed the building control device to determine if a user’s identity and password were required for login, but did not assess the system to determine if password complexity rules were enforced,” the GAO reports. “This could potentially lead to weak or insecure passwords being used to secure building control systems.”</p><p>Coleman Wolf, CPP, security lead for global engineering consulting firm ESD, said he was not surprised by the office’s overall findings. “The part that does surprise me is that some of the assessment that is supposed to go on is not going on, or the plans are not in place to conduct those assessments,” says Wolf, who is also the chair of the ASIS International IT Security Council. “I would expect that on the private sector side, but I just thought there were more stringent plans in place on the federal side.” </p><p>However, Wolf says he doesn’t think there will be a big drive for changes in assessing cyber risk of building systems until it begins to impact people at a personal level in their own homes. “As people start to see these kinds of potential consequences, I think people will start to demand more be done to assess and rectify these kinds of threats,” he predicts.</p><p>While the private sector begins to focus on building control systems, the public sector is complying with GAO’s recommendation that the appropriate government agencies should take steps to assess cyber risks. </p><p>“We [at DHS] are working to develop a strategy for addressing cyber risk to building and access control systems,” says S.Y. Lee, a DHS spokesman. “This strategy will utilize best practices and lessons learned from the private sector experiences of the DHS National Cybersecurity and Communications Integration Center’s Industrial Control systems Cyber Emergency Response Team (CERT).”</p><p>The ISC is also working with DHS’s US-CERT and ISC-CERT to incorporate potential cyber risks to buildings and access control systems into the Design-Basis Threat Report and Countermeasures Appendix. As the next step of the process, ISC will meet with GSA and other agencies to plan a comprehensive review of cyber risks to building access control systems. </p><p>It will then issue additional guidance to its federal partners on appropriate countermeasures in the next annual review of its Design-Basis Threat Report, which is scheduled for release in October 2015, according to a DHS official.</p><p>GSA also agreed with the findings of the report and said it will take “appropriate action” to make sure its assessments of cyber risks to building control systems are compliant with FISMA and implementing guidelines, according to a letter included in the report by Dan Tangherlini, a GSA administrator. </p><p>However, GSA did not respond to requests for comment before press time on what specific actions it planned to take to address cyber risks.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465