ASIS joins the U.S. Department of Homeland Security and the E.U. Agency for Network and Information Security (ENISA) in recognizing October as Cybersecurity Awareness Month. The following ASIS information security and privacy resources can help you, your organization, and your communities stay safe online.
Have a specific cyber security question? Reach out to an ASIS Information Technology Security Council member on ASIS Connects.
ASIS International Education Recordings
Top 10 Things You Must Do To Protect Security Systems from Cyber Attacks - GSX 2018
Dave Tyson, CEO, CISO Insights
Discuss important issues, approaches, and examples of how and security technology gets hacked and defines a roadmap to greatly reduce the risk. Examine real world techniques you can take back to your organizations to improve your security – explained in plain English without the techie talk. Understand how cyber-attacks are carried out and how the Top 10 steps can greatly reduce the risk to security systems like CCTV, Access Control, alarms, etc., whether on premise or in the cloud.
Winning the Red Queen's Race by Changing the Course - GSX 2018
Candace Worley, Vice President and Chief Technical Strategist, McAfee
The Red Queen’s Race, that feeling of running faster and faster just to stay in place, is real in cyber security. In this game of cat-and-mouse, the push and pull between bad actors and good actors is constantly changing. The bad actors move first and have fewer constraints, giving them a clear advantage. By the time many organizations deploy the latest cybersecurity defenses, their effectiveness will have deteriorated significantly since adversaries have time to develop new evasion techniques. Learn how to change the game to one where the good actors can win by moving faster to reduce the effectiveness of new attacks.
GRC's Role in an Enterprise-Wide Cyber Event - GSX 2018
Keith Flannigan, Executive Director, International Dynamics Research Corporation
Ron Lander, Chief Specialist, Ultrasafe Security Solutions
Significant enterprise-wide cyber events continue to place enterprises at great risk. Governance, risk, and compliance (GRC) functions play a critical role in preparing for, preventing, detecting, responding to, and recovering from such events. Using the 2017 NotPeyta wiper malware as a case study, come away with lessons learned for GRC professionals. Reported losses to two public firms totaled 300 million dollars each. Participate in an overview of the malware and the novel techniques used to deploy it. Lessons learned show why any organization can be a target.
Threats Are Hiding in Encrypted Traffic on Your Network - ASIS 2017
Manoj Sharma, World Wide Solutions Architect, Symantec
Mark Sanders, Lead Security Architect, Americas, Venafi
Today, most attacks use SSL/TLS to hide malicious activity getting malware in and sensitive data out. Receive new 2017 research on threats and preparedness, to provide a vendor-neutral evaluation of how architectures need to continue to evolve to defend against today’s cyberattacks. Hear lessons learned on how to maintain SSL/TLS inspection for fast IT services, such as DevOps, in which fast delivery is essential. Cybercriminals use SSL/TLS to hijack the blind trust that most security controls grant to SSL/TLS encrypted traffic. Many of these attacks go undetected for years, and, for those that are detected, details about the attack and how it was remediated are seldom shared.
The Growth of Ransomware and What Businesses Can Do to Protect Themselves - ASIS 2017
Ara Aslanian, Founder & CEO, Inverselogic Inc. & Reevert Software
The talk begins with an intro and leads in to a explanation of what ransomware is. Following that, personal client experiences with ransomware attacks are discussed. Ara discusses the set backs that clients have experienced before jumping in to important details about what ransomware is, who it affects and how to guard against it.
After the Data Breach – ASIS 2016
Richard Wright, CPP, Director of Global Security Operations, VDI, Inc.
Bruce Blythe, Chairman, R3 Continuum
Hart Brown, Vice President, Organizational Resilience, HUB International
Rachelle Loyear, Director of Business Continuity Management, Charter Communications
After examining the business and personal costs of a data breach, the speakers conclude that non-traditional responses must be a part of the solution, focusing on human factors, communications, and a coordinated crisis response team that identifies responsibilities and final authorities. The goal is to prevent day-to-day incidents from becoming a full-blown crisis. Awareness is key: an informed user behaves responsibly and takes fewer risks.
ASIS Council Resources
ITSC Top 6 Control Systems Security Recommendations
ASIS Information Technology Security Council
These recommendations advocate using vendor best practices on system deployment, treating data within physical security infrastructure as sensitive enterprise data, and instituting system documentation, planned maintenance, and oversight of vendor supply chains.
Security Management Articles
“Cities are the New Ransomware Target”– September 2019
Over the course of 12 days in March, cyber actors launched an attack against the City of Atlanta and succeeded in infecting its systems with ransomware. Iranians Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri allegedly coordinated to carry out a SamSam ransomware campaign on the city. Their efforts caused roughly 3,789 computers to be infected with ransomware—encrypting the data they stored, disrupting systems they operated, and demanding payment to have the data and services returned to normal. The malicious actors also gave Atlanta options to decrypt their data—0.8 Bitcoin per computer or 6 Bitcoin to decrypt all affected computers, roughly $50,000.
In today’s era of tabloid frenzy, it’s rare for a celebrity event to be shocking. But that was the case when news outlets reported in October 2016 that a group of thieves broke into Kim Kardashian West’s hotel room in Paris, bound and gagged her, and stole millions of dollars’ worth of jewelry from her. Months later in January 2017, police arrested 10 individuals allegedly involved in the robbery—including mastermind Aomar Ait Khedache. In an interview with Le Monde, Khedache explained that the group of thieves targeted Kardashian West after she posted photos on social media of her jewelry collection and updates about her trip to Paris for fashion week.
“The Cost of a Connection”– February 2019
Kevin Patrick Mallory served in the U.S. military, worked as a special agent for the U.S. State Department Diplomatic Security Service, and later as a CIA case officer--often stationed around the world to work with defense contractors and on U.S. Army active duty deployments. He had a Top Secret security clearance and was fluent in Mandarin. He was also convicted of espionage for passing information to an agent of the People's Republic of China (PRC). How did Mallory and the agent initially connect? Via LinkedIn, when the operative—called Michael Yang—reached out to Mallory, posing as representative of a PRC think tank—the Shanghai Academy of Social Sciences—and requested to meet with him.
“Artful Manipulation”– September 2018
Chief financial officer Malcolm Fisher never thought he would be victimized by cybercrime—until a social engineer successfully impersonated him and bilked his company out of more than $125,000. It was relatively easy for the criminal to identify Fisher as a high-value target given his key position within the company—his bio was readily available on the company website. And Fisher's social media profiles on Facebook, Twitter, and LinkedIn revealed several bits of information that marked him as a dream target for a diligent social engineer.
“How to Hack a Human”– January 2018
It all started innocuously with a Facebook friend request from an attractive woman named Mia Ash. Once her request was accepted, she struck up a conversation about various topics and showed interest in her new friend's work as a cybersecurity expert at one of the world's largest accounting firms. Mia was not a real person, but a carefully crafted online persona created by a prolific group of Iranian hackers—known as Oilrig—to help this elaborate spear phishing operation succeed.
ECSM is the EU’s annual awareness campaign that takes place each October across Europe. The aim is to raise awareness of cyber security threats, promote cyber security among citizens and organizations; and provide resources to protect themselves online, through education and sharing of good practices.
This initiative is observed every October under the leadership of the U.S. Department of Homeland Security and the National Cyber Security Alliance. Now in its 15th year, NCSAM focuses on a different cybersecurity issue for each week: STOP. THINK. CONNECT. Make Your Home a Haven for Online Safety; Millions of Rewarding Jobs: Educating for a Career in Cybersecurity; It’s Everyone’s Job to Ensure Online Safety at Work; Safeguarding the Nation’s Critical Infrastructure
Americans, along with people around the world, depend on the Internet and digital tools for all aspects of our lives—from mobile devices to online commerce and social networking. This fundamental reliance is why our digital infrastructure is a strategic national asset, and why its security is our shared responsibility. This month, we recognize the role we all play in ensuring our information and communications infrastructure is interoperable, secure, reliable, and open to all.