How to Build a Security Operations Center (SOC) on a Budget
Get an in-depth look at how organizations with limited resources can set up a successful operations center for monitoring, detecting, containing, and remediating IT threats across applications, devices, systems, networks, and locations. Get all 5 Chapters in 1 eBook. Download your free copy now.
October 21, 2019.
2019 ICS Cyber Security Conference
We're in Atlanta this week for the 2019 ICS Security Conference, which opened this morning. We'll have notes and updates throughout the duration of the conference. This morning we had the opportunity to hear presentations on the state of operational technology (OT) security and on the risk social engineering poses to industrial control systems.
The state of OT security: the good, the bad, and the ugly.
Mark Carrigan, COO of PAS Global, used his Eastwoodian title to sum up the mixed state of industrial control system security. He saw the good as increased signs of cooperation between OT and IT, with OT beginning to catch up to IT, particularly with respect to access management. Across the industry, he said initiatives have tended to focus on the right things: visibility, audits, and security awareness programs. And above all, companies now understand that OT security deserves investment.
The bad? Attacks on OT are no longer simply collateral damage from attacks against IT systems. The adversaries, especially nation-state threat groups, are now researching OT systems and developing attacks designed specifically for those systems. And unfortunately companies remain reluctant to share information about attacks.
And then there's the ugly, chiefly the confusing OT security market, and the tendency companies have to fixate on "shiny objects," the latest buzzwords and trends. We also find, Carrigan observed, that solution results seem to fall short of expectations, and too much information overwhelms understanding. To much focus on detection is also ugly: basic protection and recovery mechanisms "can have massive risk reduction."
He closed with four pieces of advice: "Fundamentals matter. Don't chase the shiny object. Integration is key. Industrie 4.0 is coming--get ready."
Social engineering and critical facilities: attack the human, not the technology.
Chad Lloyd, Security Architect, Schneider Electric, began by pointing out that compromising a system very often starts with compromising a human being. Studies indicate, he said, that 97% of cyberattacks try to trick a human being. He reviewed principles of social engineering, and emphasized that social engineering enables an attacker to bypass cyber defenses in depth and physical security measures. He pointed out a mismatch between IT and OT. IT worries about confidentiality, integrity and availability. OT, by way of contrast, is concerned with safety, availability and integrity (which together make up reliability), and only then confidentiality. Social engineering will seek to exploit these different interests.
After a description of how social engineers pull off their confidence games, Lloyd offered some general considerations for making an organization more resistant to this threat. He recommended instituting a security awareness program, with a primary focus on social engineering. Do a baseline assessment, and target training to risky positions. Make the training short, interesting, and interactive. He recommended that organizations include social engineering in risk assessments and penetration tests, and extending such assessments to third-parties.
With respect to technology, Lloyd suggested that organizations consider control escalation and mutual control. Two-factor authentication is valuable. He urged that enterprises not permit unmanaged devices on their networks. Endpoint security is valuable (but he cautioned that this isn't a panacea, and that organizations shouldn't rely on it exclusively). One-way sneaker-netting and unidirectional data diodes are also useful.
In sum, he agreed with Carrigan: attention to the basics matters. And those basics include training.
By the CyberWire staff
Another example of the difficulty of attribution may be found in a joint report issued today by the UK's NCSC and the US NSA. The agencies find that the Russian government group Turla (also known as "Venomous Bear," "White Bear," "Snake," "Waterbug," and "Uroburos") hijacked Iranian tools to mount an effective false-flag operation in which Turla effectively posed as APT34 (or "Helix Kitten"). The espionage operation not only used APT34 backdoors, but also prospected known APT34 victims. According to Reuters, the NCSC says it's not aware of any official attributions influenced by the misdirection, but officials point out that the discovery should serve as a cautionary tale against hasty attribution. (Compare a similar false-flag during the Winter Olympics, when Russian services impersonated North Korean operators. WIRED is running a long series on that incident.)
Often there's uncertainty with respect to whether an incident involves a cyberattack at all. A social media report out of Iran yesterday said that a refinery fire in that country was caused by a cyberattack, but these reports remain unconfirmed (and the tweet's assertion of confirmation doesn't count.) Reuters, sourcing Iranian state media, said there was fire in a canal carrying waste from the Abadan refinery, but that the fire was under control. Dragos counsels caution in accepting reports of a cyberattack at face value. After all, while cyberattacks can and have caused physical damage, accidents do happen.
The Telegraph reports that British police will soon begin predicting hate crimes on the basis of Twitter content.
Today's issue includes events affecting Australia, Canada, China, Estonia, Ethiopia, Holy See, Iceland, India, Iran, Democratic Peoples Republic of Korea, Mongolia, Russia, Ukraine, United Kingdom, United States, and Zimbabwe.
Bring your own context.
The SOHO routers used in homes and small businesses have given attackers points-of-entry for some time. Have the manufacturers made significant progress in securing them?
"I would say we have not come very far at all. While these manufacturers have made attempts to implement security controls that not only make it harder to reverse engineer the devices, but in some cases are actual legitimate attempts to protect against vulnerability classes, we were still able to exploit, remotely, most of these devices – twelve out of thirteen – and get root shells on them. So, I would say that the progress that these manufacturers have made is insufficient."
—Shaun Mirani, security analyst at Independent Security Evaluators, on the Research Saturday, 10.19.19.
So it would seem that SOHO security remains a work in progress.
The modern workplace is infiltrated everyday — bring your own device policies and increased vendor access have introduced a whole new layer of cyber risk to the office environment. Since no vendor or customer should be automatically trusted, Zero-Trust frameworks have become more prevalent. How can organizations best protect themselves and their networks? Join LookingGlass’ Eric Olson & James Carnall for a webinar discussing best practices and war stories at 1 pm ET October 31, 2019.
Georgetown University Programs in Cybersecurity Webinar(Online, October 29, 2019) We invite you to learn more about the Master's and Graduate Certificate in Cybersecurity Risk Management at Georgetown University. Our programs prepare you with hands-on practice developing and executing integrated strategies, policies, and safeguards to manage cybersecurity risks across an enterprise. Register for a free webinar on October 29 at noon ET to learn more.
IMAGINE, A MISI salon-style bespoke dinner event(Columbia, Maryland, United States, November 1, 2019) IMAGINE a world where more young women can see themselves in the faces of the legendary women of science & technology – and say, "Yes I can!" The event on November 1 is a fundraiser in support of the region's unique and inclusive STEM program and will be held at the DreamPort Facility in Columbia Maryland. While its focus is on the under-represented young women, young men are also included in MISI's STEM programs.
Cyber Security Summits: November 6 in Boston and November 21 in Houston(Boston, Massachusetts, United States, November 6, 2019) Register for reduced admission to the Cyber Security Summit with promo code cyberwire19 for $95 admission ($350 without code). Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The FBI, Google, IBM, Verizon, Center for Internet Security and more. Breakfast, Lunch & Cocktail Reception are included with your admission. Your full day’s attendance will earn you 6 CEUs. Passes are limited, secure yours today: www.CyberSummitUSA.com
NXTWORK 2019(Las Vegas, Nevada, United States, November 11 - 13, 2019) Join us at NXTWORK 2019 to learn, share, and collaborate with GameChangers from companies across the networking industry. This year’s event features keynotes from Juniper executives, as well as special guest speaker Earvin “Magic” Johnson, along with 40+ breakouts and master classes led by Distinguished Engineers, as well as various opportunities for certification testing and training.
Claims of a Cyber Attack on Iran's Abadan Oil Refinery and the Need for Root Cause Analysis | Dragos(Dragos) On October 20th, 2019, the Twitter account @BabakTaghvaee posted that there was a fire at the Abadan Oil Refinery in Iran; notably the account claimed that the fire was a result of a confirmed cyber attack. A video was posted of the fire and the news organization Retuers had posted just prior to the tweet about the fire as well. The purpose of this blog is to add some context to such events for the purpose of avoiding hype but to clearly point out a gap in the industrial cybersecurity community that we have around root cause analysis and the importance of setting forth a strategy across collection, visibility, and detection to ever get to the point where response scenarios can account for such processes.
Zimperium finds massive security and privacy breaches in all top travel apps(Gadget Guy Australia) Zimperium has found massive security and privacy breaches in the 30 most used travel and price comparison apps. Zimperium (report here) found that of the 30 most used apps that 45% of Android apps and 100% of iOS apps get a failing grade in protecting users’ privacy and that 97% of Android apps and 100% …
James Bond today would be an analyst: Intel Chiefs(Deccan Herald) Hollywood may have long tried to glamorize the business of spycraft, but in real-life, James Bond would be an analyst poring over reams of data, rather than a man of action causing havoc in the field, intelligence chiefs said.
Booz Allen, National Technical Information Service to Support Joint AI Center(Valdosta Daily Times) Booz Allen today announced that the firm has entered into a letter agreement, under its joint venture partner agreement with the U.S. Department of Commerce’s National Technical Information Service (NTIS), to assist the U.S. Department of Defense’s (DoD) Joint Artificial Intelligence Center (JAIC).
The Need for a Cybersecurity Paradigm Shift(Stripes Korea) Cyber threats against federal agencies, including across the Department of Defense and the U.S. Navy, are increasing in frequency, sophistication and impact, opening to attack vast amounts of sensitive data housed on government information technology systems and the nation’s critical infrastructure.
What infosec pros can learn from Tony Stark(IT World Canada) Infosec pros usually toil unappreciated in organizations, often fighting sometimes losing battles against well-armed opponents, and sometimes seemingly deaf employees. They ache
Boeing ‘knew of 737 Max flaws’ before crash(Times) Boeing appeared to know about problems with a flight control system on board its 737 Max aircraft nearly two years before its malfunction caused or contributed to a fatal crash in Indonesia. The...
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Industrial Control Systems (ICS) Cyber Security Conference(Atlanta, Georgia, USA, October 21 - 24, 2019) SecurityWeek’s ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze...
PCI SSC 2019 Europe Community Meeting(Dublin, Ireland, October 22 - 24, 2019) The PCI Security Standards Council’s 2019 Europe Community Meeting is the place to be. We will provide you with the information and tools to help secure payment data. We lead a global, cross-industry effort...
Omaha Cybersecurity Conference(Omaha, Nebraska, USA, October 24, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...
Florida Cyber Conference 2019(Tampa, Florida, USA, October 24 - 25, 2019) Join hundreds of stakeholders from Florida's cybersecurity community and beyond for innovative content, in-depth discussion, hands-on demos, networking, and more! With more than 20 breakout sessions across...
National Security Leaders Symposium(Naples, Florida, USA, October 27 - 29, 2019) If there is anything that unifies CISOs, change is the one constant. For 2019, the focus is on the rapid evolution of the security industry, the rising tide of visibility on security organizations, and...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.