Insecure Smart City Systems Could Threaten Public Safety

By Marilia Wyatt

When compromised smart city technology systems have a physical risk element, there is a lot at stake for public safety.

The CyberPrivacy Brief:

  • Smart city technology is being built without basic security protections and rolled out in cities with vulnerabilities, researchers say.
  • The flaws could enable attackers to take control of systems to manipulate data and significantly compromise public safety.
  • It’s easy to exploit the devices by readily finding their location, function, and minimal security protections they came with, they add.
  • An attacker with the intent to incite chaos could create far greater impact with minimal effort if cybersecurity of sensors and controls is not strengthened, they advise.

Why it matters: A smart city embeds information and communication technologies (ICT) within government systems and connect components within the city. They include Internet of Things sensors to open data collection and other smart technology capabilities to enhance services and increase operational efficiency. Sensors can monitor air quality, traffic, radiation, and water levels, and can automatically inform services like street lights, security systems, and emergency alerts. These systems might be highly interconnected and could have a physical risk element when compromised as they provide services to the public, making their robust security standards a matter of public safety.

Smart city and Internet of Things, wireless communication network, abstract image visual. Source: Information Age

17 vulnerabilities found and responsibly disclosed. The August 2018 whitepaper from security researchers at IBM X-Force Red and cybersecurity firm Threatcare revealed the systems lacked basic security protections and had various flaws but contained these three common issues:

  • Default public passwords that don’t require the users to create a secure password.
  • Authentication bypass flaws that would allow an attacker to skip log in page and set up administrative level menu to gain access that should not have been available to them.
  • SQL injection flaws that would allow malicious code to manipulate the database into revealing information it shouldn’t such as usernames, passwords, and confidential data.

‘Dangers’ of smart city hacking. The report highlights areas of potential risk and impact if smart city systems are compromised:

  • Attackers could send out false emergency alerts trigging citizens’ panic;
  • Compromise public safety by blocking warnings about real dangers;
  • Cause city officials to allocate resources to nonexistent issues.

The report further raises concerns about attackers borrowing strategies and tools they’ve used on industrial control systems (ICS) on smart city sensors and controls to cause damage to critical systems that run plants and utilities. “If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” said Daniel Crowley, research director, IBM X-Force Red in a blog post.

Recommendations: The report advises city leaders, manufacturers, and cybersecurity leadership to improve frameworks by taking action in the following areas:

  • Prioritizing cybersecurity by re-examining the vendors’ standard protocols.
  • Building adequate cybersecurity frameworks for these systems.
  • Developing standard best practices for patching software security flaws.
  • Vendors adding network port restrictions and stronger password controls to make sure the systems are accessible only by authorized users.
  • Vendors and city officials running security tests and IP scans on devices and networks to provide an extra level of protection against unauthorized access and manipulation.

There is no easy way to patch a smart city as devices are often connected to legacy operating systems that lack proper risk security audits before being connected to the internet, researchers say. But there are still proactive steps city officials and manufacturers should take. For instance, manufacturers should build products secure by design and city officials should have processes in place for vulnerability patching and ensure city vendors adhere to proper cybersecurity requirements and standards, the report says.

Commentary & Analysis

There is no silver bullet. As smart cities develop and increasingly grow, city officials should manage detailed incident response plans and practice them.  Preparation can benefit city officials by helping them identify gaps in plans, clarify roles and responsibilities, work out difficult decisions, and test policies and lines of communications when mayhem strikes.

4 Ways Businesses Can Up Their Game Against Insider Threats

By Marilia Wyatt

  • Enhance business cybersecurity against insider threats by keeping rules for employees simple and easy to understand.
  • Customize effective security training and guidance for employees by following the same playbook that attackers use.
  • Foster an open environment for information sharing among IT and security teams and employees to enhance security.
  • Eliminate rules that complicate password practices for employees.

“One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose,” says Maarten Van Horenbeeck, VP of Security Engineering at Fastly, in the Harvard Business Review. 

According to Horenbeeck, who served in Amazon’s Threat Intelligence Team and held security roles at Google and Microsoft, businesses can better equip employees against targeted attacks by taking the following steps:

Use attackers’ playbook: improve security training to focus on attackers’ tactics 

IT personnel or those in charge of providing employee security training can customize sessions to teach employees what an attacker would do effectively in a targeted campaign. Horenbeeck calls this method as “teachable moments” because it provides focused information to specific individuals in a way that’s applicable to them.

He adds that current training techniques tend to overwhelm employees with general guidance and comprehensive information during mandatory half-day security training sessions.  Long, mandatory training sessions are typically ineffective because many people tune out due to information overload.

“…The most dangerous phishing emails — spear phishing attacks that are targeted at high-value employees — work because they are customized to fool exactly the person they are sent to. Requests for tax information and fake wire transfer requests look like they are sent from the CEO or CFO to someone in the finance department using the appropriate language,” Horenbeeck explains.

Eliminate rules that complicate password practices for employees

New guidelines by the National Institute of Standards and Technology (NIST) advise businesses to allow the use of password managers so that employees are able to paste passwords into fields.

The guidelines also recommend using multi-factor authentication and key fobs.

Foster open culture among employees, the IT department, and security team to enhance information sharing for improving cybersecurity

Horenbeek explains, “The security and IT teams need to be seen as trusted and helpful advisors to employees, instead of as regulators.” To improve this dynamic, he recommends that businesses increase opportunities for interaction between employees and IT.

This relationship-cultivation can be achieved during office hours to reduce the potential negative cultural and security effects that could come from animosity between IT staff and general employees.

IT staff should not treat employee questions and help requests as “annoyances” and employees should not treat IT and security staff as regulators.

The key takeaway is for all to work together to enhance cybersecurity as a unit

As the 2017 Verizon Data Breach Investigations Report reveals, employee alerts are one of the most common methods to discover cyberattacks. So providing them with information/tools needed to identify attacks is a major part of businesses’ security program.

Ohio Lawmakers Propose Legislation To Provide Businesses Data Breach Defense In Court

By Marilia Wyatt

Proposed legislation in Ohio seeks to incentivize businesses to voluntarily adopt a cybersecurity framework in return for an affirmative defense or “safe harbor” in court should a data breach still occur.

Senate Bill 220, the Data Protection Act was introduced Oct 17th by State Sens. Bob Hackett (R-London) and Kevin Bacon (R-Minerva Park).

The point is for Ohio businesses to be proactive in instituting certain defenses to guard against data breaches.

Importantly, the bill does not create a minimum cybersecurity standard for businesses to achieve or impose liability for not obtaining or maintaining one; instead, it intends to provide an evolutionary standard for business risk.

To meet the safe harbor requirements, businesses must create, maintain, and comply with administrative, technical, and physical safeguards for the protection of personal data by using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology, or other industry recognized information security framework.

Further, a judge would be responsible for determining whether a business qualifies or not for a safe harbor provision, states data protection attorney Brian H. Lam, in The National Law Review.

The legislation is part of state Attorney General DeWine’s CyberOhio Initiative. Launched in 2016, its objective is to provide Ohio businesses with support on cybersecurity issues to enhance their success, according to the website.

“As businesses beef up their cybersecurity, consumers will benefit from the additional protection as well,” explained DeWine, who endorsed the legislation in a statement.

CyberPrivacy will continue to monitor this pending legislation and give our readers an update as it unfolds.

Further Reading:

Proposed Ohio Law May Encourage Businesses to Adopt Cyber Standards

Data Protection Act Will Incentivize Cybersecurity to Protect Consumer Data

Lawmakers Offer Legal Carrot to Defeat Data Breaches

Quantum Encryption Could Protect U.S. Electric Grid From Cyberattacks, Experts Say

By Marilia Wyatt, CyberPrivacy

To protect the U.S. electric grids from cyberattacks, cybersecurity experts testifying before the Senate Energy and Natural Resources Committee Oct 26th urged for moving the grid off of the public internet and utilizing quantum encryption capabilities.

The experts also advised for greater government participation and public and private sector coordination.

An archived video of the testimony from representatives of the Pacific Northwest, Oak Ridge, and Idaho National Laboratories, Qubitekk, and New Context Services is available here.

U.S. Sen. Lisa Murkowski, (R-Alaska), chairman of the Senate Committee on Energy and Natural Resources, said there is significant research underway to enhance the safety and reliability of U.S. energy systems. “Whether it is the application of quantum encryption, artificial intelligence, or moving control of grid infrastructure off of the public internet,” she noted in a statement.

Targeted attacks are increasing against organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors warned a recent technical alert from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The goal of the campaign is to compromise networks with malicious emails and websites to obtain credentials for accessing computer networks.

Historically, energy sector attacks have yielded various results like espionage operations to the disruption of energy systems, according to the report.

Accordingly, Symantec in September detailed the resurgence in energy sector attacks, with the possibility of sabotage, linked to the re-emergence of Dragonfly espionage group, which has been in operation since about 2011.

Dragonfly_2.0_RM“The energy sector in Europe and North America is being targeted by a new wave of cyberattacks that could provide attackers with the means to severely disrupt affected operations,” the cybersecurity enterprise said in a blog post.

The campaign is “still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” according to Homeland Security.

 

 

 

In July, the Cisco Talos Intelligence team wrote about email-based attacks targeting the energy sector using a toolkit called Phishery. 

Further Reading:

Public Power to Participate in DOE-Funded Grid Resilience, Cybersecurity Projects

Quantum Encryption Could Protect Electric Grid

How An Entire Nation Became Russia’s Test Lab for Cyberwar

 

U.S. House Approves the NIST Small Business Cybersecurity Act

By Marilia Wyatt

The U.S. House of Representatives on Oct.11th approved the NIST Small Business Cybersecurity Act (H.R. 2105), sponsored by Rep. Daniel Webster (R-Fla.) and co-sponsored by Rep. Lamar Smith (R-Texas), according to a statement by the House Committee on Science, Space, and Technology.  The companion bill S.770 was approved by the U.S. Senate on Sept. 28th.

“[H.R. 2105] calls on the National Institute of Standards and Technology (NIST) to provide small businesses with guidance to help them identify, assess, manage and reduce their cybersecurity risks,” the press release explained.

Specifically,  H.R. 2105 does the following:

  • Directs the NIST director, in consultation with heads of other federal agencies, to disseminate within a year of the act’s enactment clear and concise guidelines, tools, best practices, standards and methodologies, based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, to help small businesses identify, assess, manage and reduce their cybersecurity risks
  • Clarifies that use of such guidance by small businesses is voluntary
  • Directs the NIST director and heads of federal agencies that so elect to make the guidance available on their government websites
  • Specifies that funds to carry out this act are authorized out of existing spending

Commenting on the legislation, Rep. Webster noted: “Small businesses are especially vulnerable, with some reports noting that 43 percent of cyber-attacks specifically target. These small businesses are more susceptible to attacks due to the limited access to the tools they need to prepare for such an event. As the owner of a multi-generational small business, I know what small businesses can accomplish when equipped and empowered with the right tools. Recently, when my own business was attacked, I experienced the havoc a hacker can cause and the importance of cybersecurity. This bill will provide small businesses in my district, state and across the country with the tools they need to meet the threats and challenges of the modern world.”

Charman Smith of the House Committee on Science, Space, and Technology added:  “Small businesses account for more than half of all U.S. jobs, including nearly four and a half million in my home state of Texas. While many small businesses do not have the expertise to protect their computer systems and confidential information, it is crucial to our economy and our citizens’ security that these businesses secure their data. Congressman Webster’s NIST Small Business Cybersecurity Act helps achieve this goal by using NIST’s global cybersecurity expertise and requiring NIST to provide small businesses with guidance on identifying risks of cyber-attacks. October is National Cybersecurity Awareness Month and it is appropriate that Congress consider legislation to protect small businesses from cybersecurity attacks.”

 

New York Cyber Task Force Recommends Strategies For ‘Building a Defensible Cyberspace’

“Offense has overwhelmed defense [leading] to a sense of helplessness . . . If we accept defense is futile because offense always wins, then we all stop trying as hard. We focus on cleanup instead of prevention.” – Jeff Moss (aka The Dark Tangent), Founder of DEF CON and the Black Hat conferences

By Marilia Wyatt

Creating a more defensible, agile, and resilient cyberspace is achievable, “but only through leverage innovations that give defenders the most advantage at the greatest scale at least cost,” according to a new report released Sept.28th by the New York Cyber Task Force, organized by the Columbia University’s School of International and Public Affairs.

The report entitled, Building a Defensible Cyberspace, which included 30 senior-level experts from New York City and other places, urges for transparency, risk-based governance, increased cloud computing use and other new technologies, as well as emphasizes the significance of federal funding, collaboration across sectors, and flexibility and resilience.

Recommendations include:

For the U.S. Government:

  • Create a new cyber strategy based on leverage
  • Focus on transparency and riskbased governance, especially where these align market forces
  • Migrate to cloud & other new techs which will deliver leverage
  • Use federal funding to support leverage in the private sector For IT and Security Companies

For IT and Security Companies

  • Never stop implementing the highest leverage innovations
  • Don’t just share, but collaborate, including with funding to non-profits doing critical work

For IT-Dependent Organizations

  • Start from the board down, not the technology up
  • Leverage the most highleverage innovations
  • Emphasize agility and resilience, two of the most general-purpose investments available

PDF

 

Cybersecurity Is ‘A Battle of Innovation As Attack Surfaces Grow’

Cybersecurity is a battle of innovation as attack surfaces grow, attackers nimbly evolve their approaches, and defenders are challenged to close the windows of exploit.

Watch Cisco Chief Security and Trust Officer John N. Stewart and David Ulevitch, Vice President and General Manager of Cisco’s Security Business Group discuss key insights and findings from the Cisco 2017 Annual Cybersecurity Report.

Download the full report published January 2017

Source: Cisco News Room 

Towards an Internet Free of Censorship II Perspectives in Latin America

The development of the internet brings about new opportunities, challenges and problems that require creative solutions, capable of promoting further development, investment, sustainable growth, while fairly and squarely guaranteeing the rights of users. This new compilation of articles addresses some of the most salient issues within the Latin American legislative and regulatory agenda towards the internet. These are complex and thorny issues that have generated intense debate among scholars, legislators, practitioners, engineers, companies and users. The first article, authored by Carolina Aguerre, analyzes internet governance and the different local models developed in Latin America to assess their efficiency and impact. The second article, by Daniel Alvarez Valenzuela, offers an introduction to cyber security, highlighting the need to incorporate a human rights perspective towards its development. The third and fourth articles address zero-rating. Luca Belli explains the deep connection between access to the internet and zero rating policies, and Arturo Carrillo proposes an analysis of zero rating under the Inter-American system’s three part test: legality, necessity and proportionality. Last but not least, the fifth and sixth articles offer two different approaches to the “right to be forgotten”. Daphne Keller analyzes the European Directive and its (in) application to the Latin American context and Nelson Remolina reviews and criticizes the jurisprudence on the issue from the data protection perspective.

View PDF

Paper ‘Rethinks’ Privacy Self-Management and Data Sovereignty for Individual Control of Big Data

CyberPrivacy Brief:

  • In conjunction with the Bertelsmann Foundation, Center for Democracy & Technology released a paper that analyzes how data-protection legal regimes rooted on principles of individual control have been challenged with the rise of large data collection and processing in the rapidly evolving digital environment.

With a focus on data sovereignty, the paper evaluates approaches that could meet the requirements of big-data technologies and provide possible new alternatives for policy regimes to achieve individual control of data.

 

 

New Research Reveals Top Five Impediments to Cybersecurity Framework Implementation

Carried by Business Wire

Tenable Network Security®, Inc., a global leader in cybersecurity, and the Center for Internet Security® (CIS), a nonprofit that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats, released findings today from their co-sponsored Cybersecurity Frameworks and Foundational Security Controls Survey, which shows 95 percent of organizations face significant challenges when implementing leading cybersecurity frameworks.

The survey tallied responses from more than 300 primarily U.S. and European IT security decision makers from organizations of various sizes and representing 15 industry verticals to better understand the adoption and maturity of cybersecurity frameworks and their underlying security controls. According to survey data, three out of the top five impediments to cybersecurity framework implementation were technological in nature, suggesting a need for software solutions that can automate and simplify cybersecurity framework adoption.

The top five impediments to cybersecurity framework implementation were reported as follows:

  1. Lack of trained staff
  2. Lack of necessary tools to automate controls
  3. Lack of budget
  4. Lack of appropriate tools to audit continuous effectiveness of controls
  5. Lack of integration among tools

“Cybersecurity frameworks are a good way for IT security professionals to create a solid baseline for measuring security effectiveness and to meet compliance requirements, but it can be a challenge to do this without the tools, talent and support from executive leadership,” said Cris Thomas, strategist, Tenable Network Security. “Having the proper tools and intuitive reporting features in place not only improves overall cybersecurity, but also can help organizations eliminate some of the staffing and budget problems by automating the implementation and integration of their security frameworks.”

Despite reported obstacles, respondents who have adopted security frameworks see clear benefits, including compliance with contractual obligations (47 percent), achieving measurable security improvements (43 percent), improved maturity and effectiveness of security operations (43 percent) and the ability to more effectively demonstrate security readiness to business leadership (41 percent).

While comprehensive framework adoption can be time-intensive, notable progress is possible within specifically defined timeframes. In fact, survey data show that among companies that have started adopting a cybersecurity framework more than a year ago, 35 percent have automated 11 or more of the 15 foundational subcontrols. Even among those who have begun framework adoption less than a year ago, 25 percent of organizations have automated six or more subcontrols — an increase of 15 percentage points — indicating signs of continued improvement.

“A resilient cybersecurity program starts with a strong foundation of actions found in every cybersecurity framework, like having control of hardware and software assets, continuous assessment of vulnerabilities, and control of administrative privileges,” said Tony Sager, senior vice president and chief evangelist of CIS. “Based on this survey, we know security pros are working hard to put these controls in place, but they are still struggling to get resources and management support to move beyond human-intensive controls and paper policies. We need to accelerate moving toward automation of these controls as organizations continue to adopt industry frameworks. Additionally, many organizations are successfully using the CIS Controls as a management tool to help them succeed with their adopted frameworks.”