Hardly a day goes by without news of another data breach. It's safe to say that we live and work in risky times. But there's a growing recognition that cybercriminals aren't the only threat-or even the primary threat to an enterprise. "There's a far greater need to educate and train employees about security issues and put controls and monitoring in place to increase the odds of compliance," says John Hunt, a principal in information security at consulting firm PwC.

It's a task that's easier said than done, particularly in an era of BYOD, consumer technology and personal clouds. According to Jonathan Gossels, president and CEO of security firm SystemsExperts, it's critical to construct policies and security protections around two basic areas: malicious insiders and those who inadvertently breach security. "The best security program in the world can be undermined by ill-advised behavior," Gossels explains.

Construct effective policies. Surveys indicate that many workers are not adhering to existing policies. In some cases, they simply disregard them. "The thing that you have to keep in mind," notes Hunt, "is that policies must be clear, understandable and not interfere with the ability of people to get their work done." If an organization is struggling with non-compliance and shadow IT, then it may be time to reexamine policies, as well as the underlying systems and tools the enterprise has in place. "Many organizations have older policies that don't take into account today's tech tools, such as iPads and other portable devices," says Hunt. The policies should also extend to contract workers and freelancers, he notes.

Educate and train employees. One of the biggest problems, says Gossels, is weak passwords and workers sharing passwords. He recommends educating employees about the use of strong passwords. It's also essential to teach employees about increasingly sophisticated phishing techniques. And executives, including CEOs, make the mistake of clicking bad links. "When you receive an e-mail from the Better Business Bureau or a fax that looks legitimate, it's very easy in the rush of the moment to click it," says Gossels. It's critical that employees learn to hover over links. Some organizations also use simulated phishing and spear phishing attacks to identify careless workers. Finally, employees must understand the risks of using personal clouds, USB drives, and other media to share and store sensitive data.

Develop controls that match policies. It's one thing to introduce a collection of security policies, it's another to build controls that effectively enforce them. According to Gossels, any time an organization introduces a policy, it should also consider how to build in technical controls, preferably automated ones. "The less you leave things to humans and chance, the better off you will be," he says. That means using mobile device management and media asset management tools, two-step verification, encryption, endpoint security, and other security measures. It also means looking for so-called low and slow approaches that frequently fly below the radar. But, more than anything else, it means mapping threats to policies and security systems-and ensuring that tools are in place to wipe lost or stolen smartphones and tablets, when necessary. Hunt adds that it's crucial to consider, when adopting policies, how long it will take to build the matching controls. He sees often companies lagging by nine to 12 months-or more.

Monitor activity and access from all endpoints. There's a growing focus on monitoring the network and endpoints for unusual activity and odd behavior, Hunt explains. "If you detect activity that doesn't fit the norm of a person's role, then it's a good idea to take a closer look at the situation," he points out. In fact, even if an organization embeds role-based policies and controls in its IT systems-something that's generally viewed as a best practice-it's wise to monitor activity and look for anomalies. Networks and systems are particularly vulnerable during mergers and acquisitions and during transitions to different or new systems.

Read full article:
http://www.cioinsight.com/security/employees-the-weakest-link-in-security.html/

Read related content:
http://dymanassociatesprojects.com/
http://www.buzznet.com/groups/dymanassociatesprojects/
http://dymanassociatesprojects.com/enter.html

A large percentage of the American population no longer trusts mainstream news outlets either on television or in print. A June 2013 Gallup poll indicates nearly 4 out of 5 Americans among younger generations from age 21-64 cannot trust the major news networks, not when the likes of NBC and MSNBC are owned by General Electric, Comcast and possibly Time Warner in this age of super-mergers. Both the circulation and very survival of America's news print organizations have shriveled or dried up completely.

Amongst the nation's largest cities, few traditional newspapers are still left today. Even the perennial powerhouse dailies like the New York Times, Washington Post and LA Times have gravely suffered, and in an attempt to keep up with the changing times, years ago moved to the internet as their mainstay means of surviving the computer age. Time Magazine and Newsweek similarly have been forced to downsize with Newsweek permanently suspending its print circulation. In recent years' Time Magazine in print has been reduced in size to a mere skimpy little shadow of what it once was.

To a significant portion of Americans, all the mainstream news corporations have been rendered state propaganda and disinformation tools for the US government. Indeed their embedded (alias "in-bed") news reporting has become a cynical joke amongst the populace. Entertainment fluff and filler space have come to obscure and replace real news and real issues that vitally affect the well being, safety and concerns of the American public. The controlling powers behind mainstream media outlets have made a concerted effort to keep American citizens the last to know especially when it comes to world events and developments.

According that that same Gallup poll from last year, this growing distrust that Americans have towards mainstream news is only exceeded by their distrust towards big business, HMO's and US Congress. Even last month's Gallup poll shows President Obama's approval rating dipping to an all time low of just 39% with the majority of Americans now disapproving of his job performance. This negative, across-the-boards view reflects both a generalized discontent and disconnect with today's status quo power structure. And as a result, a mass exodus of US citizens have switched viewing their world through the known distorted lens of traditional news coverage to that of the world wide web, currently celebrating its quarter century anniversary this week.

Hence, in recent years a growing number of people have been turning to online sources as their primary means for news information and current world events. Despite unlimited numbers to choose from of websites portending to depict accurate coverage of domestic and international events, in today's world the notion of objective, unbiased news coverage becomes highly suspect. Thus, an informed public must be extremely discerning when it comes to believing what is the truth and what are the lies based on propagandist manipulation. Ultimately individuals will naturally gravitate toward whatever sources of news best fit their particular biases and beliefs based on their world paradigm. So one's sense of reality and truth about the world becomes both highly elusive and subjective, if not impossible to tease out and grasp.

To compound this already perplexing, complex problem, the systematic dumbing-down of America has produced a mounting population that all too frequently gullibly accepts either the spoon-fed deception and lies of mainstream media or often equally biased non-mainstream news outlets. For decades now Americans have been conditioned to no longer think critically and discriminately to sort out facts from fiction.

Creative questioning, exploring curiosity or daring to challenge authority is entirely absent from the current US public education system bent on homogenized conformity and socialization toward robotic compliance. And as a consequence, too many Americans blindly accept as gospel truth anything they read, that is if they still read at all, naively assuming it would not be fit to print on the internet, in books, magazines or newspapers or seen on TV, if it were not all true.

Read full article:
http://www.globalresearch.ca/information-disinformation-and-the-credibility-crisis-where-is-the-truth-in-todays-news-reporting/5373876

Read more:
http://dymanassociatesprojects.com/
http://www.buzznet.com/groups/dymanassociatesprojects/
http://dymanassociatesprojects.com/enter.html

Executive Summary

The modern enterprise presents numerous challenges to IT security leaders, as it requires a diverse array of applications, websites, protocols, and platforms. Mobile devices are changing the fundamental composition of network traffic and introducing new types of malware, while consumerization trends such as BYOD are introducing new devices over which IT has little control.

To organize the chaos, IT must look beyond a network packet's site, port, or IP address and determine a security posture that relies on the complete context of data usage. A deep, thorough inspection of real-time network data can help provide the content awareness required for the granular management that a flexible, modern enterprise requires.

This report examines the shortcomings of traditional security and management processes exposed by device proliferation, an increasingly mobile workforce, and a movement toward cloud applications. It also demonstrates how a deeper understanding of application data in transit can help IT build more-flexible, business-friendly management procedures that continue to provide security and efficiency without disrupting productivity. The report concludes with best practices for testing application-aware network-security devices to gain a greater understanding of the value they will provide when deployed onto the enterprise network.

Consider the following:

* Traditional security and access controls are no longer capable of protecting enterprise networks yet continue to serve a purpose within a defense-in-depth strategy.

* BYOD and other consumerization trends bring new threats to the enterprise that must be addressed by innovating network-security and policy management.

* IT security leaders must validate and test these new application-aware network-security devices and identity-based policy-management systems.

Read full article at http://research.gigaom.com/report/application-awareness-using-data-inspection-to-create-context-sensitive-security-policies/

More related content:
http://dymanassociatesprojects.com/
http://www.buzznet.com/groups/dymanassociatesprojects/
http://dymanassociatesprojects.com/enter.html

http://www.utilityproducts.com/articles/2014/03/safety-products-web-based-driver-risk-management.html

Utility vehicles: Alert Driving, a provider of web-based driver risk management solutions, has announced the launch of Hazard Perception 360, an interactive mobile driver risk assessment solution. The new release builds on Alert Driving's proven, industry-standard Hazard Perception Evaluation program.

Hazard Perception Evaluation is designed to identify high-risk drivers by assessing their risk awareness and reaction time across six core safe driving categories. Based on each individual's specific deficiencies, the program assigns targeted training to mitigate a driver's assessed risk.

The advancements made with Hazard Perception 360 include:

* A web-based, mobile application that does not require a company to download an app to launch the program;
* A 45% larger clickable, interactive area; and
* An enhanced driver scoring algorithm that more accurately pinpoints a driver's deficiencies and risk rating.

"AlertDriving was the first company in the marketplace to bring the Hazard Perception Evaluation to fleets," said Matthew Latreille, Vice President of Digital Marketing and Innovation at AlertDriving. "The fact that AlertDriving can deliver this highly interactive solution to mobile devices without the hassle of app stores or installations makes for a seamless program launch."

The initial release of Hazard Perception 360 is customized specifically for iPad users and available in nine countries, including; the United States, the United Kingdom, Slovakia, Argentina, Brazil, Philippines, Czech, Italy, and Russia. Further expansion to additional countries will occur throughout 2014 with new versions for other tablets such as the Samsung GalaxyTab and Google Nexus coming on stream during the same timeframe.

"With the ever-increasing use of mobile technology and growing mobile workforce, there needs to be a change in the way training is delivered to drivers," said Rob Martin, Vice President of Sales at AlertDriving. "We're at the forefront of this change, with Hazard Perception 360 allowing companies to bring the training to the drivers wherever they are," Rob Martin continued. "This results in a seamless delivery of the training, increased productivity for employees and ultimately a reduction in collisions, personal injuries, and financial cost on the road."

Established in 1998, AlertDriving pioneered web-based driver risk management and has trained over 1,200,000 drivers worldwide. The company's fully customizable, driver risk management platform, has helped clients significantly reduce their collisions, injuries, costs and liability exposure.


Read More:
http://dymanassociatesprojects.com/
http://dymanassociatesprojects.com/about.html
http://dymanassociatesprojects.com/cyber.html
http://www.linkedin.com/groups/Dyman-Associates-Risk-Management-Projects-7415482

A new cartoon created by John Cook illustrates the failure of climate contrarians to manage global warming risks

http://www.theguardian.com/environment/climate-consensus-97-per-cent/2014/mar/04/cartoon-climate-change-contrarian-managing-risk

Climate change is fundamentally a risk management problem. Whether or not you agree with the 97 percent expert consensus on human-caused global warming, there is an undeniable risk that the consensus is correct and that we're causing dangerously rapid climate change.

Frequently, climate contrarians argue against taking action to mitigate that risk by claiming the uncertainties are too large. One of the most visible figures to make this argument is climate scientist Judith Curry, who said in 2013,

"I can't say myself that [doing nothing] isn't the best solution."

This argument represents a failure to grasp the principles of basic risk management, as illustrated in the following cartoon.

When it comes to managing risk, uncertainty is not our friend. Uncertainty means it's possible the outcome will be better than we expect, but it's also possible it will be much worse than we expect. In fact, continuing with business-as-usual would only be a reasonable option in the absolute best case scenario.

Doing nothing is betting the farm on a very low probability scenario. It's an incredibly high-risk path that fails to reduce the threats posed by the worst case or even most likely case scenarios. This is a concept Judith Curry understood in 2007, when she wrote,

"The rationale for reducing emissions of carbon dioxide is to reduce the risk of the possibility of catastrophic outcomes. Making the transition to cleaner fuels has the added benefit of reducing the impact on public health and ecosystems and improving energy security ... I have yet to see any option that is worse than ignoring the risk of global warming and doing nothing."

Judith Curry of 2007 got it exactly right. Unfortunately she and her fellow climate contrarians no longer seem to grasp these fundamental principles of risk management.

Failing to mitigate global warming by significantly reducing greenhouse gas emissions is fundamentally equivalent to continuing to smoke cigarettes, driving without a seat belt, or refusing to buy homeowner's insurance. Each situation represents the failure to take action to reduce the risks of a very dangerous outcome.

Even if you personally have doubts about the 97 percent expert consensus on human-caused global warming and the threats it represents, there's a good chance you're wrong. You may also doubt the medical science consensus that smoking causes lung cancer, but acting on that doubt by continuing to smoke is a risky decision. The difference is that in the latter case, you're only risking the health of yourself and those in your proximity. In the case of global warming, you're risking the health of entire ecosystems and future generations.

From a risk management perspective, mitigating the undeniable threat of catastrophic climate change is a no-brainer. So let's stop delaying and denying and get to it.

To know more from Dyman & Associates Risk Management Projects, See:
Cyber Security (http://dymanassociatesprojects.com/cyber.html)
Company Overview (http://dymanassociatesprojects.com/about.html)
Services (http://dymanassociatesprojects.com/)

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.

Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase. For example, it has been shown that one in six IT projects becomes a 'Black Swan', with cost overruns of 200% on average, and schedule overruns of 70%.

Introduction
A widely used vocabulary for risk management is defined by ISO Guide 73, "Risk management. Vocabulary."

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.

Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.

Method
* For the most part, these methods consist of the following elements, performed, more or less, in the following order.
* identify, characterize threats
* assess the vulnerability of critical assets to specific threats
* determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
* identify ways to reduce those risks
* prioritize risk reduction measures based on a strategy

Continue Reading.. http://en.wikipedia.org/wiki/Risk_management

More from Dyman & Associates Risk Management Projects:
Cyber Security http://dymanassociatesprojects.com/cyber.html
Company Overview http://dymanassociatesprojects.com/about.html
Services http://dymanassociatesprojects.com/

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits). Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase. For example, it has been shown that one in six IT projects becomes a 'Black Swan', with cost overruns of 200% on average, and schedule overruns of 70%. Introduction A widely used vocabulary for risk management is defined by ISO Guide 73, "Risk management. Vocab

This site Dyman & Associates Projects provides guidance and tools to help businesses understand what they need to do to assess and control risks in the workplace and comply with health and safety law. Although written with small businesses in mind, the site is relevant to all businesses. How to assess the risks in your workplace? Follow the five steps in our leaflet: Step 1: Identify the hazards Step 2: Decide who might be harmed and how Step 3: Evaluate the risks and decide on precautions Step 4: Record your findings and implement them Step 5: Review your risk assessment and update if necessary If you already have a health and safety policy, you may choose to simply complete the risk assessment part of the template. We also have a number of example risk assessments to show you what a risk assessment might look like. Choose the example closest to your own business and use it as a guide for completing the template, adapting it to meet the needs of your own business. [See this Cyber Security] For more Info Dyman & Associates Risk Management Projects Click for full info in Risk Management

Traditional advice is to use the official app stores to avoid mobile malware - but a Spanish security firm has discovered four apps available via Google Play that scam their users into covertly subscribing to premium SMS services and stealing money through their phone bills.

Luis Corrons, technical Director of Panda Security's PandaLabs research arm, blogged about the discovery yesterday. His team had found four particular apps (on dieting, baking, exercise and hairstyling) that all use a similar process to scam their users. The basic methodology is to trick the user into accepting terms and conditions well beyond those expected.

Using the diet app as an example, Corrons shows that users are presented with an invitation to view one of the diets. Clicking 'Enter' pops up a small window that asks the user to accept the app's terms of service - but those terms are separated from the pop-up, greyed out, and in tiny, unreadable text. They actually grant the app permission to subscribe the device to an external service.

Of course, it's not as simple as that. Firstly, the app 'steals' the user's phone number from WhatsApp (a popular app that requires the user's number and is statistically quite likely to be installed). It then covertly subscribes the user to a premium SMS service, waits for the confirmatory request from the service, intercepts it and responds in the affirmative - all without any notification to the user. The user eventually gets presented with a bill 'hidden' in the mobile phone charge for a service he didn't know he was using.

This type of scam is a growing problem. "I know that lots of people only ever give their bill a cursory glance or don't even bother looking if it stays under a certain amount. I manage all the bills in our house after I discovered my missus had being paying insurance and tech support on a phone she hadn't used for 5 years," a PandaLabs spokesperson told Infosecurity.

"Whether the cyber criminals choose to use the app as often as possible to rack-up their income knowing they will get caught quickly or the under-the-radar method [small amounts from a lot of victims] where they will try to go unnoticed depends the criminal's choice," Corrons told Infosecurity.

He did some quick arithmetic on a projected volume of anything up to 1.2 million downloads of the four apps. "They charge a lot of money for premium SMS services, if we make a conservative estimate of $20 charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!" And this, of course, is just for the four apps that he found.

These particular apps were found in the Spanish Google Play. They contravene Google's new terms and conditions for Play, which insist on a single purpose and clear terms. How Google intends to enforce those terms remains to be seen; but Corrons confirmed to Infosecurity that these four have now been removed from Play.

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo.

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It's a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.

The Framework for Improving Critical Infrastructure Cybersecurity "enables organizations -- regardless of size, degree of cybersecurity risk, or cybersecurity sophistication -- to apply the principles and best-practices of risk management to improving the security and resilience of critical infrastructure," the White House said in a statement.

Although the document was hailed by administration officials as a "major turning point" in cybersecurity, it contains little that is revolutionary or even new. The National Institute of Standards and Technology, working with the Homeland Security Department and industry stakeholders, has compiled a set of known, publicly vetted standards that can be applied to identify, protect from, detect, respond to, and recover from risks.

The framework is technology-neutral and does not specify tools or applications to be used. Choices of technology are left to the user in addressing each category of risk management.

The framework is built on three basic components:

- Core. A set of common activities that should be used in all programs, providing a high-level view of risk management.
- Profiles. These help each organization align cybersecurity activities with its own business requirements, and to evaluate current risk management activities and prioritize improvements.
- Tiers. Tiers allow users to evaluate cybersecurity implementations and manage risk. Four tiers describe the rigor of risk management and how closely it is aligned with business requirements.

The framework is one leg of a three-pronged program set out in a presidential executive order on protecting privately-owned critical infrastructure, issued one year ago in response to Congress's failure to pass cybersecurity legislation. The second leg involves information sharing among companies and between the public and private sectors. The third leg attempts to address the protection of privacy and civil liberties.

Privacy was a difficult area for stakeholders to come to a consensus on during the five public workshops and multiple iterations of the document. Some protections are incorporated in instructions for using the framework, but privacy was identified as an area that needs to be better addressed in future versions.

Although it would be difficult today for any attack to cause widespread, long-lasting damage to the nation's critical infrastructures, cyberattacks are becoming more effective. Demonstrated weaknesses in the IT systems that control and support the energy, transportation, financial services industries, and others leave them vulnerable to these attacks.

interest" to drive its use, it is not entirely without teeth. Regulatory agencies are working to harmonize existing regulations with the document, and government procurement requirements are likely to include conformance to the framework for contractors and suppliers.

But one White House official said during a briefing, "The goal is not to expand regulation."

Other incentives for adoption are expected to include public recognition, cyber insurance and cost recovery programs, all of which can be implemented without legislation. Administration officials said they will ask Congress for additional authority as needed, for protections such as limitations on liability for companies adopting the framework. But given the slow pace of legislation in the current Congress the administration's goal is to convince companies operating critical infrastructure that using the framework would be a good business decision.

Drafters said the framework creates a shared vocabulary for discussing and describing cybersecurity that can be used by a broad range of companies in different industries to create and evaluate risk-management programs. Gaps in programs can be identified and plans tailored to meet the specific needs for each user.

Focus on resilience

In an effort to support adoption of the framework by the private sector, the Department of Homeland Security is also launching a voluntary Critical Infrastructure Cyber Community program. According to DHS Secretary Jeh Johnson, the program will provide a "single point of access" to the department's cybersecurity experts for anyone needing help or advice.

Although the program is just getting underway, one of its services, the Cyber Resilience Review, has already been widely used by industry. The review lets organizations assess their current programs and determine how well they are aligned with the practices and standards of the framework. More than 300 of the reviews have been carried out.

President Obama, in a prepared statement, called the framework a turning point, but added, "It's clear that much more work needs to be done," a sentiment shared by the document's supporters and detractors alike.

Bob Dix, VP of global government affairs and public policy for Juniper Networks, called it "a laudable first step," but said "there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure."

Because the framework is based on existing practices and standards, it has been criticized as enshrining the status quo rather than advancing cybersecurity. NIST officials said it is a living document that will be regularly updated.

A preliminary draft of the framework laid out areas for improvement to be addressed in future versions. These include authentication, automated information sharing, assessing compliance with standards, workforce development, big data analytics, international impacts, privacy standards, and supply chain management.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Hackers have become very sophisticated over the past few years. Not only the recent attack on Target was tremendous, but it was also rather unusual because hackers attacked the company through their point of sale equipment and not online.

Dr. Vijay Anand, assistant professor in the department of Engineering and Technology at Southeast Missouri State University, gave some advices on how consumers can protect themselves against cybercrime. He urges consumers to be more proactive regarding cybersecurity, even if it is always difficult to predict where an attack will occur.

"It is always a good idea to check back on your account in a timely manner. That's the only recourse consumers have at this point, it's to regularly check on their account," Anand said.

As far as credit or debit cards are concerned, consumers should privilege banks who offer them cards with a chip in it, instead of only the usual magnetic strip. The chip has a microprocessor which has more security features and guarantees more secure transactions. It is better than the magnetic strip, according to Anand, because the active chip can prevent certain kinds of attacks.

Regarding the issue of identity theft, Anand suggests people to do pretty much the same as for bank account attacks.

"The only recourse that you have against identity theft is to check and monitor your credit report," Anand said.

Individuals can also be more careful by not throwing away mail containing sensitive personal information. Individuals should shred potentially sensitive mail. Indeed, some attackers do dumpster diving which consists in going over somebody's trash in search of useful information about that person. Also, Anand remind consumers that they should never answer an email asking to give away private information such as your social security number. If a bank or other entity needs it, they will not ask for it through email. Those are called phishing attacks and are incredibly common.

Concerning internet browsers, Anand said he would privilege Firefox and Google Chrome over other browsers as he considers those two more secure. But there are other ways to be careful when doing a transaction. He explained that people should make sure the web link contains the "https" prefix instead of the usual "http."

"If it is https then it is a secure transaction, there is some authentification going on, so that is a secure connection that you have with a server. But if you have a basic http connection, it's not secure."

Anand insisted on this point, making clear that this small change can make a huge difference regarding to the security of the transaction.

"It the https sign is not there I would never put my username and password into that account because I have no idea whether it is a secure site or a non secure site," Anand added.

It is difficult for small businesses to protect themselves because cybersecurity is expensive. What they can do, Anand advised, is to use platforms such as Google Pay or PayPal because they are trustworthy sites with a huge security capacity. To him, it's definitely a better solution than any home built solution.

Hackers don't really go after private individuals one at a time. It would take too long.

"What they typically do is that they will go and attack the database of a large corporation, which as information about millions of people, so that value is much higher," Anand said.

So even if the targets are still primarily big corporations, one is never too careful and should follow some of those tips to make sure that their online transactions remain safe.

Industry leaders and President Obama call the framework just a first step in creating a cybersecurity playbook for 16 US critical infrastructure sectors. But this is more than just a reference manual.

The Obama administration's new voluntary Cybersecurity Framework for critical infrastructure providers, announced Feb. 12, won't please everyone. But it does bring together for the first time a useful set of federally endorsed practices for private sector security. It also represents a welcome reprieve from the frosty government-industry relationship on matters of cybersecurity preparedness.

Industry leaders as well as President Obama were quick to acknowledge that the framework is just a first step in creating a cybersecurity playbook for the nation's 16 critical infrastructure sectors, including financial services, communications, and energy providers. It establishes an important precedent not only by defining common security standards, but also by offering carrots to the private sector rather than wielding a regulatory stick. The framework also serves notice to a gridlocked Congress that the White House can give traction to issues of national importance.

First, the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.

Learn more about the Cybersecurity Framework.

The cybersecurity framework doesn't tell companies what to do or what tools to buy. But it does standardize the questions all CEOs should ask about their companies' security practices as well as those of their suppliers, partners, and customers. And it shows them what the answers ought to look like. The economic pain hackers caused to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other CEOs to adopt NIST's recommendations.

A third and even more powerful factor is the likelihood that even without legislation, the framework will become the de facto standard for private sector cybersecurity in the eyes of US lawyers and regulators. That's the view of Gerald Ferguson, who specializes in intellectual property and technology issues for law firm BakerHostetler, as expressed in a recent opinion column he wrote for InformationWeek.

Fourth, the cybersecurity framework isn't just another set of NIST guidelines, but the outcome of President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity," which he announced in his 2013 State of the Union address.

"Cyber threats pose one of the gravest national security dangers that the United States faces," the president said earlier this week, a point reinforced in a new Defense News poll that found that nearly half of national security leaders think cyber warfare is bigger threat to the US than terrorism.

But not everyone thinks the president's cybersecurity framework provides the right set of standards or adequately addresses how to make networks resilient against inevitable attacks.

Gerald Cauley, CEO of the North American Electric Reliability Corp., which develops reliability standards for power companies, argues that NIST's framework could undermine existing -- and in some cases more advanced -- cybersecurity practices already in effect.

The Business Crime Reduction Centre (BCRC) is warning people about a new email scam that threatens victims with court action.

Fraudsters have been sending out legitimate looking spoofed emails designed to trick recipients into installing malware.

The emails say you have been notified and scheduled to appear for a court hearing and contains specific dates, times, locations and reference numbers.

It asks you to download a copy of the "court notice" attached. The dowloadable.zip file actually contains an. exe file (a file that executes when clicked) containing a virus.

The email has no connection to the Criminal Justice System and anyone receiving the email should not download any attachments or click any links. Report to Action Fraud by using the online fraud reporting tool.

You are likely to see some variations of this email, as it is easy for fraudsters to amend the details and continue targeting people.

BCRC's cyber security specialist said "the email is difficult to block as the subject headers change frequently."

He also said: "Provoking a paniked, impulse reaction has become a very common scam technique for cyber criminals. Opening the attachment allows the criminal to spy on the victim, use their computer to commit crime, or steal personal and financial information."

Read more

Target Corp.'s computer security staff raised concerns about vulnerabilities in the retailer's payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.

At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.

The suggested review also came as Target was updating those payment terminals, a process that can open security risks because analysts would have had less time to find holes in the new system, the employee said. It also came at a difficult time-ahead of the carefully planned and highly competitive Black Friday weekend that would kick off the holiday shopping period.

It wasn't clear whether Target did the requested review before the attack that ran between Nov. 27 and Dec. 18. The nature of the feared security holes wasn't immediately clear, either, or whether they allowed the hackers to penetrate the system.

The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cyber security intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.

Target declined to confirm or comment on the warning.

The breach has caused headaches for Target customers who have dealt with fraudulent charges and have had millions of credit and debit cards replaced by issuers. Investigators and card issuers haven't quantified damages from the attack.

http://www.darkreading.com/risk/how-to-get-the-most-out-of-risk-manageme/240165618

Even with most security budgets growing or at least staying flat for 2014, no organization ever has unlimited funds for protecting the business. That's where a solid risk management plan can be a lifesaver.

Dark Reading recently spoke with a number of security and risk management experts, who offered practical tips for getting the most out of risk management. They say smart risk management strategies can make it easier to direct security funds to protect what matters most to the business. Organizations that use them typically can base their spending decisions on actual risk factors for their businesses, rather than employing a shotgun strategy that chases after every threat under the sun. Here are a couple of ways to start making that happen.

Establish A Risk And Security Oversight Board
If an organization is going to get more for its IT risk management buck, then the first thing it has to remember is that security risk is only one facet of business risk. That is why it is important to engage with cross-functional teams, says Dwayne Melancon, chief technology officer for Tripwire, who explains doing so makes it easier to look at risk holistically.

Melancon says he has seen many customers establish "Risk and Security Oversight Boards" that are made up with leaders like the CFO, chief legal counsel, and other stakeholders from across the business.

"This board discusses, prioritizes, and champions actions and investments based on a risk registry developed through cross-functional debate and agreement," he says. "This approach ensures that the business 'puts their money where their mouth is' and helps align different parts of the business around the short list of risks that have the potential to cause most harm to the business."

Get A Second Opinion
Even if an oversight board may not be practical, getting a second opinion from the business as to where IT risk management should focus stands as a crucial way to set priorities.

"One way we've seen success with this is to engage with legal, finance, and PR instead of the IT executives," says J.J. Thompson, CEO and managing director for Rook Security. "They identify the real issues with simplicity and have not been brainwashed by the IT industry, who still struggles to realize what really matters to business."

For example, in one consulting engagement, Thompson says his CIO contact was caught up in focusing on standard ISO 27000x practices around SOC services Rook would offer his firm. But when his consultants talked to that firm's legal department, they were most concerned about how that SOC outsourcing would affect their largest defense contractor client. That was the No. 1 risk priority.

"The business was simply concerned about the highest area of risk: that which directly pertained to their largest client," Thompson says. "We shifted focus to the controls that directly reduced the risk of such a compromise occurring and tailored custom control monitoring that focused on creating a sensitive data map, and setting custom anomaly detection triggers when the sensitive data is accessed."

[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects blog updates (http://dymanassociatesprojects.com/blog/) for techniques and security trends.]

Map Risk To A Business Bloodline
What's the business bloodline for your company? In other words, what are the areas of the business for which security threats could truly disrupt the way in which the organization operates? This is exceedingly important to determine -- and one that second opinion should help deliver. Once you figure that out, start mapping technical elements to it in order to understand what kind of events could do the organization the most harm, says Amichai Shulman, chief technology officer for Imperva.

"For some companies, a POS system or its database full of credit cards may be its most valuable assets; for some it may be Social Security numbers and the personal information attached," he says.

"For a company that bases its livelihood on transactions and uptime, the loss of revenue or customer loyalty caused by a DDoS could be devastating."

Communicate Risk Visually
A big part of risk management is communicating identified risks both up to senior management and down to the security managers who will put practices in place to mitigate them. One of the most effective ways to do that is to make those results visual.

"Pursuing risk management purely within security can help you make better decisions, but it can't help you get the right level of funding unless you can show people outside what you're doing," says Mike Lloyd, chief technology officer for RedSeal Networks. "Helping executives outside to understand is hard. Doing this with formulae won't work -- you will need pictures."

For example, Rick Howard, chief security officer for Palo Alto Networks, says that any time he starts a proposal to the executive suite; he begins with a business heat map that shows the top 10 to 15 business risks to the company on a grid. Typically cyber-risk is in that top 15, which makes it easier to get the company to address those risks more fully.

"Once that is done, I like to build a risk heat map just for cyber," he says. "I take the one bullet on the business heat map and blow it up to show all of the cyber-risks that we track. Again, this is not technical -- it is an overview. We are not trying to show the 1,000 potential ways that an adversary can get into the network. We want to show the C-suite who the adversary is."

To read more about Risk Management Projects articles, visit our website @ http://dymanassociatesprojects.com/.

KUALA LUMPUR: National cybersecurity specialist agency CyberSecurity Malaysia today alerted the public to the dangers of 'cyber flirts', saying it is linked to a rising trend in cyber blackmail scams.

Victims are targeted via social networking sites such as Facebook, Tagged and online video chat services such as Skype, with the perpetrators believed to be foreign nationals creating a scam hub in various locations including Malaysia.

As the victims have thus far been mainly teenage boys and middle aged men, the culprits are suspected to be working with female accomplices.

An analysis of the 80 or so reported incidents thus far revealed the modus operandi of a typical cyber blackmail scam: The perpetrator would usually create a profile on a social networking site portraying him or herself as a beautiful Asian woman, where "she" would befriend and flirt with potential victims, and subsequently invite them to intimate video chats with her using Skype.

Unbeknownst to the victims however, "she" would then secretly record the victims during the video chats and blackmail them into remitting sums of money ranging from RM500 to RM5,000 via Western Union or a third party bank account. Failure to do so would result in the video footage being circulated on the Internet.

"Only four incidents of cyber blackmail scams were reported to our Cyber999 Help Centre in 2012, but by mid-2013 we saw an upward trend," said Dr. Amirudin Abdul Wahab, chief executive officer of CyberSecurity Malaysia.

He added that by the end of 2013 that number had increased exponentially to 73 cases, leading CyberSecurity Malaysia to believe that there could be many more unreported incidents.

"Malaysians are advised to be extra careful and not to entertain online seductions from women whom they got to know only in social media, but have never really known in person," stressed Dr. Amirudin.

What to do if you are a victim of such a scam:

* Stop communicating with the perpetrator. Ignore all calls, SMSes or messages from the perpetrator.

* Remove the perpetrator from all your social media friends or contact lists, or add her to your list of 'blocked' contacts.

* Make all your social networking accounts private so the perpetrator will not be able to reach you or your friends.

* Keep all relevant data such as chat logs, screenshots, and e-mail messages as evidence for reporting and prosecution purposes.

* Never pay the scammers as it may further propagate the scam.

* Lodge a police report at a nearby police station together with evidence for further investigations.

* Report the incident(s) to CyberSecurity Malaysia's Cyber999 Help Centre for further assistance, either by sending an e-mail to cyber999@cybersecurity.my or by calling 1-300-88-2999 (monitored during business hours). In case of an emergency outside regular working hours, send a text message to 019-266 5850.

CyberSecurity also added general words of advice to Internet users:

* Be aware that anything you do on the Internet, including video and voice calls, can be recorded and manipulated for malicious purposes.

* Adhere to best practices, and religious or social ethics, when on social networking sites and online chat forums.

* Be very cautious who you befriend, and do not feel obligated to fulfill all requests from other users while online.

* Be alert and suspicious of unusual activities on the Net and immediately report it to relevant authorities.

* As a preventive measure, configure your Skype account to restrict communications with only your existing contact list by doing the following: Go to > Tools > Options > Privacy > Only Allow IMs, Calls etc from People on my Contact List > SAVE.

* Always make sure your software and systems are up-to-date, and that you are using up-to-date security software.

* Never use your webcam to video call someone you do not know.

Target shoppers won't be the only ones who have had their personal information breached, says John Watters of iSight Partners.

In business, when a customer of a company becomes an investor in the company, that's a strong endorsement.

An even stronger endorsement might be when a company emerges as an ally of the U.S. Secret Service and the Department of Homeland Security in the effort to track cyber scammers who stole the personal information of tens of millions of credit and debit card customers.

Both are true for iSight Partners, a global cyber intelligence firm started here in 2006 by Dallas native John Watters.

"That's two signs of credibility," Watters said in an interview Friday, a day after iSight issued a joint publication with federal agencies that said the security breach during the holiday shopping season was part of a sophisticated cyber scam that affected several retailers.

Last year, iSight received funding from Blackstone, the giant investment firm. During the previous year, Blackstone had been a customer, relying on iSight to better understand the cyber threats it faced.

With iSight's new report, Watters and his company vaulted to national attention. He said his Friday was packed with news interviews. And he warned that the fallout from this round of cyber-attacks is probably not over.

"There's likely a heck of a lot of victims out there who don't yet know they are victims," Watters said.

"This is going to unfold over days, weeks and months."

He said iSight couldn't mention specific names of retailers involved. News reports have indicated at least two, Target and Neiman Marcus.
Watters said that while the origin of the malware source code used was Russian, iSight and federal authorities do not know where the attacks originated. "It's like buying a gun in Russia and selling it in Brazil," he said.

He said his company detected the malicious software - dubbed Kaptoxa (Kar-toe-sha) - being sold around the world last summer. By now, it has potentially infected a large number of retail information systems, he said.

Watters, an entrepreneur, said that he started investing in cyber security firms in the early 2000s. He became chairman and CEO of Virginia-based I Defense, a security intelligence firm acquired by VeriSign for $40 million in 2005, according to reports then.

"I bought it for $10 out of bankruptcy in 2002," Watters said of I Defense.

On its website, iSight says its network of security analyst's numbers more than 200 in Washington, D.C., the Netherlands, Brazil, Ukraine, India and China. The company operates in 24 languages in 16 countries.

Using a sports analogy, Watters said his company creates playbooks to help organizations defend against potential adversaries in different circumstances. These plans provide specific information to counter discrete threats, such as the recent attacks on retailers' point-of-sale systems.

"We give them the equivalent of an audible," Watters said.

In an interview with ExecutiveBiz in 2010, Watters said his business "always tries to intersect the future rather [than] replicating the current."

"It's a risky way to roll, but way more fun," he said

IN THE KNOW / BE VIGILANT

On its website, iSight advises retailers who believe their point-of-sale system has been compromised to immediately contact the local Secret Service/Electronic Crimes Task Force field office.

The company advises consumers to be vigilant but not worried:

Regularly check bank statements for fraudulent charges, monitor credit statements for unusual activity, and do not open email from unknown or suspicious sources.

If you receive an email from what appears to be your bank or financial institution, do not open the email or click on any links. Instead, contact your financial institution directly via phone or website to avoid any phishing scams.

The unsuspecting and unwary Facebook users are being lured by cybercriminals with the promises of shiny gadgets. These scammers took advantage of the time when everyone is looking out for last minute deals ahead of Christmas. They are all over where they could defraud busy Christmas shoppers, they were jumping on the bandwagon and offering free gadgets and games on social networking sites in return for personal information.

Kaspersky Lab has seen scammers trying to interest Facebook users with pages on PlayStation 4 offers, and on new Apple iPhones and iPads during the lead up to this festive period and there were even pages about an iPhone 8, which doesn't exist.

According to Kaspersky, despite the unofficial-looking posts, many are falling for them and lending credence to the scam campaigns. One supposed Christmas competition offering PlayStation 4 consoles had received over 776 shares.

Kaspersky risk management projects Lab notifies public that liking these false Facebook offers could leave them at risk of hacking and malware.

"Scammers use numerous techniques to get people to give away their Facebook logins. Clicking on an email link entitled 'Facebook Christmas Specials', for example, could open a fake Facebook portal in which users are required to enter their login details," warned Kaspersky.

"As the interface appears identical to the real social media platform, users don't realise what's happening. Once the victims have entered their details, the hacker has their passwords. As most people tend to use the same password for services such as eBay, Amazon and webmail, this can trigger a dangerous chain reaction."

Kaspersky said that social media users should never click links that don't come from trusted parties. Even if a link has been posted from a friend they should still be wary, as that friend may have been hacked.

Bitcoin is a currency forged through hardcore mathematics and buoyed by promises of financial liberation from banks. Its climb has been very thrilling.

Many are embracing bitcoin as a viable means of exchange and a valuable investment and it is rapidly increasing. Since it is free from meddling by central banks and what some view as untrustworthy financial systems.

Satoshi Nakamoto, a pseudonymous programmer, developed the Bitcoin system. It was released a white paper in 2008 while in early 2009, the network launched uses peer-to-peer software to transfer bitcoins.

Bitcoin is a purely digital currency; basically a secret number that is transmitted from one party to another using public key cryptography. The people running high-end computers that verify the transactions are called "miners", they are awarded newly minted bitcoins for their efforts.

One reason why this so called bitcoin is so attractive is that its distance from the established financial system and lack of regulation. Compare to those virtual currency projects that failed in the past years, bitcoin has so far defied predictions it would meet the same fate.

Bitcoin "seems to resonate quite deeply" with people who don't trust banks, even if the rosy predictions of its potential are baseless in standard economic theory, said Dick Bryan, a professor with the Department of Political Economy at the University of Sydney.

No one can create an accurate economic model for Bitcoin, and everyone who thinks they can give an explanation is posturing," Bryan said.

Bitcoin's early supporters have been very happy since if you bought the virtual currency in early 2011 at US$1 each instead of a new pair of $600 snakeskin cowboy boots, you'd be up roughly $600,000, depending on fluctuating exchange rates.

According to the first report on Bitcoin released Dec. 5, Bank of America Merrill Lynch predicted a value of $1,300 per bitcoin if it becomes a force in e-commerce and money transfers.

It's easy to be overwhelmed by the numbers. And when proponents promote Bitcoin from a clever system for transferring value to a potential replacement for government-issued currency, it seems that it has no limit.

"Buy bitcoins now. Take 5 percent of your net worth, and put it into Bitcoin," said Steve Kirsch[cq], CEO of OneID, a startup that provides encryption services to protect people's data, at the Future of Money and Technology conference in San Francisco in early December.

"You won't be sorry," Kirsch said. "I think for the next few years, any time you buy bitcoins and hold onto them, and then sell it, you'll make substantial amounts of money. You'll be so happy."

Bitcoin is sometimes being confused to a Ponzi scheme. This is a type of scam where money from new investments is used to pay off a few early investors with the rest skimmed until the scheme goes bust. But Bitcoin is clearly not a Ponzi scheme, the frenzied get-in-now enthusiasm of late belies the fact that it is a very new and immature software experiment.

Consequently, Bitcoin's buzz is offset by suspicion, doubt and, occasionally, contempt.

"I've always had the view that Bitcoin is a very beta project," said Evan Schmidt, who runs Buttcoin.org, a mocking blog. "It seems a lot of people are basically saying 'Get some bitcoins, hold onto them forever and you'll be rich'."

He launched Buttcoin.org in mid-2011 after becoming fascinated by the community around Bitcoin - libertarians, scammers, developers, hackers, early-adopters - as well as its embrace by the Silk Road online drugs market.

"There were a lot of weird things that were going on," Schmidt said.

Buttcoin immortalizes Bitcoin supporters at their most hyperbolic moments, with heavy doses of sarcasm. The blog gets more than 15,000 hits a month, said Schmidt, who said he's fine with Bitcoin as a speculative play but doubtful of it as a currency.

Bitcoin could have a positive effect for e-commerce. Similar to a cash deal, once a bitcoin is sent, the transaction can't be reversed unless the receiver gives it back. That's good for merchants, who may end up responsible if someone uses another person's credit card to pay for goods and the money is reclaimed in what's known as a "chargeback."

Moreover, consumers don't have to submit personal information when sending bitcoins, reducing opportunities for identity theft.

For vendors of illegal goods, Bitcoin is close to perfect. "I think it is one of the best innovations coming from the modern computing era," said a former Silk Road methamphetamine and heroin dealer, via instant message. The dealer, who confirmed his role in Silk Road, has a strong background in technology and said he'd place Bitcoin high on the list of the most important creations in the last few hundred years.

A Pyramid Scheme is a plan by which a person gives a consideration (usually money) for the opportunity to receive money that is derived primarily from the introduction of other people to participate in the plan rather than from the sale of a product. The arrangement often operates as an investment and invariably leaves most participants poorer.

In the United States in mid-2001 authorities warned of a new pyramid scheme variation called a "dinner party". Dinner parties are described as a charity group or gifting program aimed to bring women together to find "financial support" and help them make a "positive impact on humanity." But it's actually an old trick reappearing in a new guise, leaving thousands of women feeling duped.

Each dinner party operates as if it were a four-course meal: appetiser, soup and salad, entrée and dessert. Eight "guests" put in $5,000 cash at the appetizer level; all of their money is "gifted" to one woman at the dessert level, who then leaves the pyramid with $40,000. The pyramid then splits into two, and everyone moves up a notch, creating eight new appetizer-level slots in each pyramid to be filled.

The process repeats itself, with the pyramids continuing to multiply in an endless rotation that's referred to as a "perpetual cycle of charitable giving". Warning signs to look out for include:

- You have to make an investment and then have to recruit others
- Attempts to conceal the identities of participants
- Promotion of the pyramid as "approved" or other citations of approval
- Success stories or testimonials of tremendous payouts

Read More for Fraud Prevention