Cybersecurity

​​​​​​​​​​​

​​​​​​​​​​​​​​​​​How’s this for a doomsday cyber nightmare: you wake up to the headline that 1,000 smart refrigerators were used to conduct a distributed denial of service (DDoS) attack to take down a critical piece of U.S. Infrastructure. This brow-sweating scenario was shared at a conference by Vint Cerf, vice president and chief Internet evangelist for Google, according to a recent Security Management article.

While an attack of this sort is still a dream, reality isn’t far away, say cyber experts. More than 25 billion connected devices are in use worldwide now, and many of these devices are not designed with security in mind.

Nonetheless, security professionals can be held accountable if the unimaginable happens. In the following talks and writings, colleagues from around the world share trends and countermeasures that can keep business out of the headlines.

Each month we offer​ free resources on our security spotlight topics.
We also offer addit​​ional resources only to the ASIS International membership.
Not a member? Join Today!

» View Past Security Spotlight Topics​​

Free Resources

(access to these materials requires creation of a free ASIS web account)

Data Breaches and Digitization
Seminar Session 2117, September 2016
CSO Center for Leadership and Development
Speaker:

​Axel Petri, Senior Vice President Group Security Governance, Deutsche TeleKom AG

The speaker opens his remarks by posing this question: Whom do you trust and what would you be willing to pay for being secure? He asserts that security professionals have to influence how various groups would answer that question, including their bosses and society​​ as a whole. He asserts that the Internet has affected the perception of trust, and that everything that can be digitized and connected will be. As a result, he foresees the following trends:

  • Cyber is multidimensional and a part of warfare.
  • Political and industrial espionage, while not new, is affecting smaller and newer companies in unexpected ways.
  • Cyber criminals operate like a business, using conventional ways to attack through honeypots and malware purchased on the black market.

In response, security professionals should do a lot more to counter these threats through such avenues as education, funding, standardization, and encryption. He advocates public/private cooperation to develop cyber SWAT teams that can act immediately when an attack affects a government or company. Ultimately, he feels hopeful about the future of the Internet because the stakeholders have a common goal: “maintaining the Internet as the indispensa​ble and trusted backbone of our digital future.”


“New NIST Guide Helps Small Businesses Improve Cybersecurity”
National Institute of Standards and Technology,
November 10, 2016

This guide is written for small-business owners not experienced in cybersecurity and includes steps they can take to better protect their information systems. The publication walks users through a risk assessment process to help understand their vulnerabilities. Nine specific best practices show companies ways to protect their cyber assets, including:

  • Limiting employee access to data and information.
  • Installing web and email filters.
  • Finding reputable cybersecurity contractors.

Security Management Articles

Security Management, a monthly benefit of ASIS membership, includes a column on cybersecurity in each issue. To review an archive of all articles in this category, log onto sm.asisonline.org and click on the cybersecurity tab. Articles are separated into five categories: cloud security, cybercrime, defenses, mobile security, and social engineering. Occasional features on these topics are included in many issues as well.​

The following stories are a sample of what’s been written lately.

The Top Five Hacks From Mr. Robot—and How You Can Prevent Them,” October 21, 2016
Author: Megan Gates, associate editor
This article is only available on the magazine’s website.

The author contends that the television series Mr. Robot may be doing more to make Americans cyber aware than any official awareness campaign. The premise is straightforward: Elliot Alderson, a young cybersecurity engineer, is recruited by “Mr. Robot” to join a group of hactavists—fsociety—to target a company, E Corp. In the process, fsociety has used five hacks to attack the company: password cracking, zombie accounts, phishing, physical access, and DDoS attacks. The episodes highlight lessons learned on how to combat each type of attack.

Rise of the IoT Botnets,” February 2017
Author: Megan Gates, associate editor

This article chronicles how the Mirai botnet, using IoT devices, took down a major domain name server provider during three attacks in quick succession. While Internet users directed to the company’s servers were unable to reach affected sites initially, the company mitigated the third attack without affecting customers. But huge losses in revenue and sales were attributed to the attack. The Mirai botnet and others like it take advantage of the lack of security in IoT devices, such as DVRs and surveillance cameras, and consumers are largely unaware they their devices may be compromised. The article offers six steps organizations can take to reduce the risk to their IoT devices. Here’s a sample:

  • Keep IoT devices on an isolated network and control access to them.
  • Change all default user accounts and passwords for IoT devices. If they cannot be changed, block them.
  • Review corporate policies that allow employees to bring their own devices to work and connect them to the company network.

Cyber criminals will use more creative attacks through purchasing DDoS as a service, a growing industry.

Cyber Trends,” September 2016
Author: Megan Gates, associate editor

The article highlights major issues that will affect the cyber threat landscape in the near future, including a talent shortage, pressure from boards of directors that consider cyber risks their highest priority, and the increased use of encryption by Internet companies. The article also looks at how Brexit might affect data sharing and data privacy agreements among the United Kingdom, the European Union, and the United States.

How to Protect PII,” February 2016
Author: Lilly Chapa, assistant editor

Personally identifiable information (PII) is a hot commodity for malicious attackers. The information can be used alone or with other sources to identify, contact, or locate an individual. Companies may face large fines or legal action if the PII they hold is breached and a damaged reputation. The article advocates four ways to avoid these consequences, including educating employees, segregating duties, using content filtering, and establishing an incident response plan.

Smart and Secure,” January 2016
Author: Mark Tarallo, senior editor

Securing Smart Cities (SSC) is a not-for-profit global initiative. It aims to address the existing and future cybersecurity problems of smart cities where wireless sensors control an increasing amount of the infrastructure, from traffic lights to the water supply to waste management systems. The SSC initiative has five goals, including collaborating with partners to share ideas, promoting the benefits of introducing security early in a smart city project, and creating standards, guidelines, and other resources to improve smart city cybersecurity.


Mirai Attack — Incident Summary and Recommendations
ASIS Council Leadership
November 4, 2016

In October 2016, a considerable portion of the United States and some parts of Europe were hit with massive distributed denial of service (DDOS) attacks. Hackers were able to effectively take down the internet by overloading the capacity of supporting providers. Their "army" was a multitude of smart devices (connected to the internet with default passwords) that had been infected with purpose-written malware. In response, ASIS Council Leadership released several resources to the public that are normally reserved for ASIS members:

» View the full summary and additional resources


ASIS Members-Only Access

(access to these materials requires ASIS International membership​)

After the Data Bre​ach
Seminar Session 2212, September 2016
Speakers:

Richard Wright, CPP, Director of Global Security Operations, VDI, Inc.
Bruce Blythe, Chairman, R3 Continuum
Hart Brown, Vice President, Organizational Resilience, HUB International​
Rachelle Loyear, Director of Business Continuity Management, Charter Communications

After examining the business and personal costs of a data breach, the speakers describe a typical response from a legal and IT perspective, which includes auditing and investigating the scope of the breach, compliance initiatives, notifications, and credit monitoring. They conclude, however, that non-traditional responses must be a part of the solution. Using cases of recent breaches as examples, the speakers focus on three specifics:

  • Human factors, including stakeholder outrage, employee concerns, organizational stability, and the four components of a good crisis leader: empathy, expertise, commitment, and transparency.
  • Communications, including notifying affecte​d audiences in a timely way without rushing to conclusions, using clear and transparent messaging, and accessing cyber insurance resources and services.
  • Crisis response, including a coordinated crisis response team that identifies responsibilities and final authorities.

The goal is to prevent day-to-day incidents from becoming a full-blown crisis. Awareness is key: an informed user behaves responsibly and takes fewer risks. ​


Cyber Risks to IoT and Building Controls
Seminar Session 3213, September 2016
Speakers:

Coleman Wolf, CPP, Security Lead, ESD Global, Inc.
Rodney Thayer, Convergence Engineer, Smithee, Spelvin, Agnew & Plinge, Inc.

After a review of resource documents that address open protocols and IT centric devices, the speakers focus on the drivers and underlying devices that pose IoT and business control system risks. A list of ten concerns includes the following:

  • System infrastructure is often hidden and out of mind for users, who don’t realize that devices on their computers can be hacked and do something that they were not intended to do.
  • Business control systems are moving toward greater complexity, more layering, and convergence.
  • Accidental failures may denigrate a s​ystem’s security, and hacking today is easier to do at low cost.

» View the associated handout for this seminar presentation


​​Cyber-Physical Attacks
Butterworth-Heinemann; Elsevier, 2015
Author: George Loukas​
Chapter 4: Cyber-Physical Attacks on Industrial Control Systems
Excerpt courtesy of Elsevier.​

​This comprehensive chapter begins with a review of threats to supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs), and other systems used in critical infrastructures. The author asserts that these systems are matters of national security in most of the world. The chapter is separated into three sections:

  • A discussion of the most common of these systems, SCADA, and associated threats.
  • A real-world case study focusing on the Stuxnet attack against a uranium enrichment facility in Iran.
  • An examination of the target of state-sponsored attacks, the electric grid, using the Aurora Generator Test as an example.

The chapter is peppered with informative illustrations showing three generations of SCADA, with a fourth only a vision of IoT trends, for example, and re​plicating smart grid architecture with multiple sources of energy, power transmission, a distributed network, and multiple electricity consumers. The illustrations g​raphically show numerous of points of vulnerability​ in each system.


​​Additional Seminar Session Excerpts
From the ASIS Seminar Archive​
​These curated CyberSecur​ity seminar sessions were first made available to members in early 2016:

  • Using Big Data​
    Big data is exploding on business networks, leaving many security practitioners wondering how to create a viable yet secure way to store but still access this vital information.
  • Preventing Data Breaches
    Using a case study approach, Robert Eggebrecht, BEW Global, walks through the process his company e​mployed to zero in on an insider who was responsible for the theft of $30,000 of intellectual property from his high-profile employer.
  • Evaluating a Provider’s Cloud Security
    Companies are increasingly moving large amounts of confidential data to the cloud, often without the knowledge of corporate IT and security staff. These managers must play catch-up to ensure the viability of the cloud service provider’s security processes.

For More Information​​​​

(access to selected library materials may require ASIS membership)

ASIS Information Resources Center (IRC) Security Databases & Library Catalog

A comprehensive review of the man​y international, nation, and local resources on cybercrime and cybersecurity has been compiled by the ASIS Information Resources Center (IRC). The PDF provides access to reports, essays, news, and opinions from thought leaders involved in creating policies and practices on such timely topics as the global st​ate of information security, big data breaches, the global cost of cybercrime, best practices in data protection, and the Internet of Things. To access these resources, sign in to the ASIS website and type Information Resources Center Cybercrime and Cybersecurity Information Sources into the search box.​​​ You may also view the members-only CyberSecurity IRC Guide curated ​in early 2016.

Additional resources on these and related topics can be obtained ​​from the IRC. Print items are available for use onsite in the IRC by ASIS International members. Go to the library’s web pages to navigate to the Security Database & Library Catalog.

For more help and search suggestions, email questions to the librarian or fill out our contact form.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

​​
Past Relevant Security Spotlights

Previously, ASIS International published these Security Spotlights on issues relevant to CyberSecurity: