ICS Cyber Convergence

Monitor asset performance in real-time with new widgets available with Industrial Defender ASM version 6.2

The Industrial Defender ASM has always been more than an event monitoring platform. Now there’s one more reason why this technology is rapidly becoming the de facto solution to monitor, manage and protect ICS assets.

Asset Trends offers operational end-users a new set of widgets to track and trend asset performance. This investigative tools can be used to review a specific set of asset details for a finite span of time. When comparing trends it’s easy to identify anomalies and under-performing asset(s). Further analysis can be done to review the resources on the under-performing asset by spinning up a widget with settings set to compare I/O, memory and disk usage. These widgets display continuous, analog information in both a graph and table format over a selectable time interval using menus of metric categories and associated metric names for display. There are four standard widgets available: CPU usage, memory usage, disk usage and networking.

standard_widgets_asset_trends

Available premium upgrade enables more than 25 additional categories for trend analysis.

Asset Trends Features

Each widget can compare up to five assets from a seven day span down to fifteen minute time increments. Additional features include:

  • Show/hide data grid for more information
  • Current, maximum, minimum and average values
  • Data display continuously refreshes every minute
  • Mouse over line point for more details
  • Click to zoom-in and drill down to view by the minute
  • Reset button to come back to the initial view

Sneak Peek Screenshots


 

mouse_over_asset_trendssettings_panel_asset_trendszoom_in_asset_trends


Next Step? Request a meeting. Find out how Industrial Defender ASM can help you manage your secuirty, operations and compliance projects. Request an appointment today!

Discuss your project   

 

Read more

Today we are proud to announce that the latest release of the Industrial Defender Automation Systems Manager™ (ASM), version 6.2, is available! Our dedicated product team works along-side existing end-users to continually improve functionality and develop advanced capabilities within this single, unified platform. The Industrial Defender ASM is specifically designed and purpose built to assist asset owners in the task of ensuring the safe and reliable operations of industrial control systems (ICS). 

The 6.2 release addresses features that will assist cybersecurity, compliance and change management requirements for ICS enviornments. The latest version expands ICS operational management capabilities with a new, highly customizable module that tracks ICS asset performance indicators. Additionally ASM v6.2 delivers features and enhancements to assist customers in meeting the rapidly approaching NERC CIP v5 April 2016 start date. The ASM continues to win customers and has become the de-facto standard for operational technology (OT) cybersecurity by automating many of the manual processes required to secure global critical infrastructure operational assets.

The Industrial Defender ASM solution is comprised of three components:

  • ASM – the Automation Systems Management platform used to search, sort and report on data collected from assets and systems within the ICS environment
  • ASA – the Advanced System Appliance captures, correlates and securely routes events and asset configuration data to the ASM for analysis, management, and reporting. Continual data collection directly from local devices through various methods, using standard communication protocols like SSH, SFTP, SNMP or through specially designed automation system agents is the ideal solution for mission critical networks where no inbound access is allowed.
  • Agents – the Industrial Defender ASM agents enable automated collection of configuation state and event data from endpoints, locally and remotely. Agents are deployed with no impact to your environment and require limited resource utilization.

Five New Features for ASM 6.2

1. Reports from search deliver greater report flexibility and utility

Appearing in the same formal format as reports generated using the Reporting tab, reports can now be created, scheduled, and saved directly from query results on ASM search pages, such as Active Asset Search, User Search and Event Search. The unique reports generated from these searches can be scheduled for automatic creation and storage on the ASM. Email notification can be automated upon scheduled report generation.

 

2. New workflows to manage configuration rules remotely enhance asset state data collection functionality

Now managed from the ASM, configuration rules allow you to select specific types of state data to collect from assets such as asset details, users, firewall rules, software installed, patches installed, network interfaces, ports and services, and configuration backups. Configuration rules are easily associated with asset groups for efficient configuration rule management. Although default configuration rules are provided out-of-the-box, custom configuration rules can be created.  

You don’t need remote or physical access to asset after first-time installation!

asset_config_rules

3. Rule management workflow provides greater ease-of-use

A new rule management workflow delivers a rich set of improved usability features including new search panels for rule pages, additional default rules libraries for import, bulk rule classification upon import, and a report showing rules applied to assets.

 

4. User configuration export and import functions boost user-defined configuration

The export and import function is redesigned to include all user-defined configuration data including asset configurations, rules, notifications and contacts. This capability increases utility and portability. Four common use cases for this feature; disaster recovery, NERC CIP v5 compliance, QA to production migration and FleetView deployment.

 

5. Asset Trends widgets enable asset performance monitoring in real-time

Asset Trends widgets display continuous, analog information in both a graph and table format over a selectable time interval using menus of metric categories and associated metric names for display. Asset Trends widget types include CPU, disk, memory, network and a customizable advanced widget.

 

New ASA Features for 6.2

Waterfall Diode support: Waterfall Diode implementation supports ASA to ASA or ASA to ASM communication. Data collected on the ASA can now be sent through Waterfall diodes, models WF100TX and WF100RX, via UDP and File Transfer to another ASA or to the ASM.

State data collection capability from the ASM: Configuration of State Data Collection (Configuration Rules), formerly available only on the ASA, has been added to the ASM. Rules for agents performing state data collection can now be defined and managed directly from the ASM. This simplifies management of configurations with multiple ASAs reporting to an ASM.

Standalone manual agent option to import offline state data files: Add standalone agent option for remote hosts. An ASA user can import offline state data files. A new manual option has been added to configAgent.pl in addition to monitor and manage when configuring an agent. This allows agent configuration locally on remote off-network Windows and Linux hosts. State data files can then be offloaded to a USB stick and manually added to the database on an ASA.

Support for a Modbus server destination: More alert monitoring options available with new Modbus-based HMI support. A user can now create a Modbus server as a destination when configuring an ASA.

New Agent Features for 6.2

CentOS support: Support added for agents running on CentOS v5 and CentOS v6. The agent installer has been upgraded to install agents on CentOS v5 and Centos v6.

Standalone manual agent option to import offline state data files: Standalone agent option for remote hosts. An ASA user can import offline state data files. A new manual option has been added.  This allows agent configuration locally on remote off-network Windows and Linux hosts. State data files can then be offloaded to a USB stick and manually added to the database on an ASA.


Find out how Industrial Defender ASM can help you manage your secuirty, operations and compliance projects. Request an appointment today!

Discuss your project  

 

 

Read more

If you aren’t using firewalls right now,
get up and go get some!”

Last month at the Schneider Electric TEC user conference, our Industrial Control System (ICS) expert, Mike Dugent, presented a session entitled: ICS Cybersecurity, Lessons from the Field. In it, he told a crowd of ICS engineers and executives, what they already knew; that they must move up the cybersecurity maturity curve to defeat the advanced persistent threats (APT) targeting their organizations’ critical infrastructure assets. The audience was a who’s-who of leading oil and gas companies, power producers, pipeline operators and others, and they nodded as Mike recognized the challenge these companies face to “catch up” with other industries to mature their cybersecurity posture.

cybersecurity-maturity

As a long-time expert on the realities of securing industrial control systems, Mike painted the picture of how to move from basic cybersecurity (i.e. simple perimeter defense like firewalls) to a highly mature intelligence-driven defense. Once he recognized that most of the audience in the room were just getting a handle on “the basics”, he interrupted himself and commented, “If you aren’t using firewalls right now, get up and go get some!”

Mike continued by offering some ICS-specific recommendations for maturing their security programs, including advice on how to automate aspects of asset management, security event alerting, configuration change management and policy management. He used illustrations and screenshots from the Industrial Defender ASM to demonstrate that with the right tools it is possible to make big leaps forward on cybersecurity while also improving operational management of industrial assets.

In discussing specific ICS field challenges, like collecting asset and configuration data from industrial devices, Mike created an engaging conversation with the folks in the room, many of whom face these challenges daily. They peppered him with questions about secure architectures, what industrial devices the Industrial Defender ASM supports and the communications methods used to grab data from remote sites. With help from ASM customers in attendance, Mike was able to answer audience questions about secure architectures, Industrial Defender ASM supported industrial devices and the communications methods used to grab data from remote sitesOne new customer outlined how they had used the cellular network to securely collect remote asset data.

Mike concluded his presentation by linking the automation of security, compliance and operational functions to a program that moves ICS cybersecurity up the maturity curve; a move the audience recognized as necessary – and not as difficult as they had originally thought.


Request a meeting to consult with an ICS cybersecurity specialist on how your organization can mature up the cybersecurity curve.

Discuss your project

 

Read more

Last month we sponsored the webcast “Diving deeper into the details of nuclear power security”, hosted by Intelligent Utility. The webcast features two speakers, well-respected within the nuclear energy community, William Gross, Sr. Project Manager, Engineering, Nuclear Energy Institute, and Matt Gibson, Senior Technical Leader, Plant Technology Nuclear Sector, EPRI. This blog will concentrate on William Gross’s piece in the webcast, focusing on Design Basis Threats, the first step in the NRC Cyber Security Framework.nrc-cyber-security-framework

When you think of nuclear power concerns, what words come to mind? There’s a good chance you think security and safety. Nuclear power is an industry that certainly faces its fair share of threats. With intrusions predicted to rise, nuclear asset owners should be actively exploring how to protect their systems and the public from both physical and cyber attacks.

How would we define threats to the nuclear power industry?

Gross explained in his presentation that the Nuclear Regulatory Commission (NRC) specifically defines two Design Basis Threats relating to the nuclear power industry:

  • Radiological Sabotage: This involves an attack on a nuclear power plant causing safety consequences such as radiology exposure to the public.

  • Theft and Diversion: This involves the theft of protected nuclear material that could be used to make nuclear weapons or radiological dispersion devices.

The outcomes from each Design Basis Threat are interconnected, causing both the safety and security of a nuclear power plant, as well as the public, at risk. Gross expressed that it is imperative for all nuclear power plants to develop and apply a program plan that can safely manage the two Design Basis Threats, radiological sabotage and theft and diversion. The NRC believes this program should address the threats through prevention, detection, response, and recovery.

Gross discussed the 5 modes of attack facing the two Design Basis Threats which include:

  1. External Assault: An example would be breaking into a nuclear power plant building
  2. Internal Threat: This would be a threat that has initiated inside the nuclear power plant
  3. Land Vehicle Bomb Assault: This mode of attack, by a vehicle on land, that’s purpose would be to damage important safety equipment within the nuclear power plant
  4. Waterborne Vehicle Bomb Assault: This mode of attack, by a vehicle on water, that’s purpose would be to damage important safety equipment within the nuclear power plant
  5. Cyber Attack: This includes hackers trying to damage the nuclear power plant’s computer network and/or system.

Focusing further on the fifth mode of attack, a cyber-attack: How does cybersecurity fit into a nuclear power plant’s “physical” protection program?

“At nuclear power plants, cybersecurity is an integrated component of our overall physical protection strategy” – William Gross, Sr. Project Manager & Engineering Energy Central

Just like physical protections that nuclear power plants must implement, cybersecurity precautions are just as crucial to protecting against potential threats. According to Gross, the concerns surrounding a cyber-attack on a nuclear power plant concentrate on how it could affect the plant’s computers. He further explained that the computers of a nuclear power plant are used to control some of the plant’s equipment, as well as open files needed for managing the safety of the entire plant. The plant’s computers must be protected in order for equipment and systems to be maintained and fully capable of performing their intended function(s).

In 2009, the NRC distributed specific cybersecurity requirements to defend the cyber-attack attribute of the two Design Basis Threats. The requirements outline that each power plant provide NRC with 1) a cybersecurity plan and 2) an implementation schedule.

As a publicly available document, the nuclear power industry developed a unified template for the cybersecurity plan and implementation schedule. Later, it was approved by the NRC and seven milestones were due in December of 2012. In 2013, the NRC inspections began. Currently, Milestone 1-7 will complete in 2015, whereas milestone 8 is still underway and will be finished up by plant’s between mid to late 2016-2017 time frame.

Webcast moderator and Intelligent Utility editor-in-chief, Kathleen Wolf Davis, kicked off the broadcast by enumerating a list of applicable security and cybersecurity lessons learned:

  1. Converge IT, OT, and physical security departments but beware cultural differences.
  2. Spread the digital security culture inherent in millennials to other generations in your business.
  3. Timely access to info is key, but security clearances are lacking.
  4. Don’t “Jon Bon Jovi” your security. “Livin’ on a prayer” is not a strategy. Stop just surviving.

Bill Gross circled back on these lessons in his closing thoughts:

  • He believes a good real life example of lesson one is that cybersecurity is integrated into a nuclear power plant’s physical protection strategy.

  • When it comes to clearances and timely access to security information, each nuclear power plant makes sure to maintain a list of individuals that have security clearances both at the secret and top secret levels to ensure that they have the capability to access classified information if it becomes available and it is necessary for them.

  • And lastly with regards to “Jon Bon Jovi”-ing one’s security, Gross has witnessed a commitment to pursuing proactive cybersecurity measures across the industry.  As things change in the ever-evolving threat landscapes, plants will need to continually assess if their protective strategies need to change.

To catch Matt Gibson of EPRI speak on security and safety in regards to nuclear power plants, register to watch the “Diving deeper into the details of nuclear power security” webcast.
Watch Webcast

  Nuclear Power Security
Read more

The Gartner Security & Risk Management Summit held in National Harbor, MD in June fostered a lot of great conversations. As one of the most important gatherings of the IT security and risk community, it was the ideal venue for discussing the ever-evolving threat landscape and ways to stay ahead of the adversary.

Lockheed Martin took the opportunity to engage with attendees on the show floor about ongoing cyber trends and current challenges facing their organizations.

Recent 2015 Ponemon surveys on Intelligence Driven Cyber Defense and Risk & Innovation in Cybersecurity Investments paint a consistent picture across all industries:

  1. Leadership is engaged in the cybersecurity conversation more than ever
  2. Cyber budgets are increasing
  3. Adversaries are relentless

Below are some of the results from the survey we conducted.

Pitfall_Gartner-Survey-Infographic-3Pitfall_WP-CTA

Read more

We had the pleasure of sponsoring the webcast “Cybersecurity and Infrastructure Protection: What You Need to Know to Keep Your Hydro Facility Safe”, hosted by Hydro Review. The webcast features four authoritative speakers including Dr. Smart Ocholi, Andrew Dressel, John Holbrook, and Matthew Neely. This blog reviews content discussed during John Holbrook’s portion of the webcast on how to integrate cybersecurity using a Physical Security Perimeter.

Understanding that cybersecurity is an ever-changing entity is exceptionally important. It is necessary for every facility to continuously monitor and test their cybersecurity efforts. With the impending NERC CIP Version 5 updates, facilities face an even greater number of requirements regarding their cybersecurity strategies. So what parts of a hydropower plant need increased cybersecurity attention to promote safety and secure at all times? Holbrook explains that any equipment connected to a hydropower plant’s network, using a routable protocol must be considered.

What types of equipment need to be secured at a hydropower plant?

According to Holbrook, the following hydropower plant equipment must be secure:

  • Routers, Ethernet switches, workstations, servers
  • PLCs, Exciters, Governors, RTUs
  • Protective relays and data monitoring equipment

After reviewing the equipment types that need protection, we should consider what NERC CIP approach would best provide the desired protection. One specific aspect of NERC CIP requirements is a Physical Security Perimeter (PSP)OpenEI defines a PSP as the physical “six-wall” border that surrounds locations where all Cyber Assets are kept, within an Electronic Security Perimeter.  Meaning, the essential equipment needs to be secure within this PSP. 

Holbrook’s presentation touched on how in the past, the routine PSP approach was to locate all equipment within a controlled area. Further, he explained that the controlled areas included the control, relay, computer, and communications room. For several facilities, this method turned out to be both challenging and ineffective. Inherent difficulties with this approach lead to the introduction of an alternative PSP approach. The alternative involved making the entire structure of a hydropower plant a PSP. Holbrook noted that this approach became problem ridden as well, especially for medium and large facilities. It was problematic because hydropower plants had to exercise locking a majority of the plant down, since the entire structure was a PSP. Locking procedures needed to take place to verify that all personnel will be cleared and tracked, allowing safety and security processes to continue to be satisfactory. Clearly this approach can be inconvenient. Productivity is a concern when cleared personnel must be pulled away from their core tasks to “chaperon” non-cleared personnel. Holbrook provided examples of non-cleared personnel, including janitors, welders, and plumbers. This issue led to the consideration of a second alternative. Holbrook describes the second alternative as creating a PSP by securing the communication cable, and associated termination equipment, to ensure that each piece of equipment is covered by the PSP.

alternative_PSP

What are the advantages and disadvantages of this second alternative for a beneficial PSP approach?

Holbrook ran us through both the advantages and disadvantages for the second alternative:

Advantage: 

Management efforts to control access would be substantially reduced.  Fewer efforts would be required since equipment would be individually secure, along with having its access limited to personnel who have the “key”. The key could be either a physical or a virtual-security monitoring system.

Disadvantage:

The main disadvantage would be a significantly larger initial cost. The processes of designing and deploying physical secure enclosures, and monitoring methods, calls for a more expensive price point.

Which PSP approach is right for you?

Download a copy of the webcast content “Cybersecurity and Infrastructure Protection: What You Need to Know to Keep Your Hydro Facility Safe” webcast for a deep dive discussion on:

  • Cybersecurity protection at hydropower plants
  • The seriousness of threats facing hydropower plants
  • How to react to an incident
  • Where utilities are investing their resources
  • How NERC CIP Version 5 will affect projects owners and the hydropower industry as a whole

WC_Hydro_ThumbListen to the expert panel discussion! Watch the on-demand presentation “Cybersecurity and Infrastructure Protection: What You Need to Know to Keep Your Hydro Facility Safe” to learn more about the topic of cybersecurity in the hydropower industry.

Register to Watch

Read more

Arguably one of the most important aspects of cybersecurity is Threat Intelligence. Yet despite its importance, this particular discipline as part of a solid security posture is often underestimated in terms of importance.

The consulting company, Forrester, defines threat intelligence as the details of the motivations, intent and capabilities of internal and external threat actors. Forrester extends their definition of Threat Intelligence to include specifics on the tactics, techniques and procedures that hackers and Advanced Persistent Threats employ within their attacks. - Threat Intelligence Buyer’s Guide SANS CTI Summit, 10 February 2014.

At Lockheed Martin, we value Threat intelligence's primary purpose, which is to help the business better understand the risks and implications associated with threats in order to make better decisions regarding the safety of its customer, employees and intellectual property.

We also believe that by understanding the attributes of an APT, an organization can better build a proactive Security Operations Center (SOC). By proactivity we refer moving a SOC from a “set-it and forget-it mode” governed by reacting to threats to a predictive and agile infrastructure. This migration goes beyond blocking domains to using databases and intelligence gathered over years to understand attackers’ patterns of behavior. How do your attackers grow and change over time? What common tools do they use? What techniques do your attackers always employ after entering a network? An example of understanding the minutia concerning APT behavior includes knowing whether they send emails with a zip file on the bottom, or always start emails with “Dear Sir or Madam.” Do they always misspell a certain word or are they always asking for the same specific piece of information? Such intelligence makes future threats more identifiable and quickly categorized.

According to Forester and Lockheed Martin’s understanding of Threat Intelligence, another important aspect of this intelligence driven discipline is the sharing and collaboration of intelligence. Standardization within cybersecurity is a major challenge. The cybersecurity industry has reached a level where the sharing of information is readily available, however the struggle is now to determine and agree upon a set of standards as it relates to how we classify, validate and communicate intelligence.

In an ideal setting, the aggregation of valuable intelligence is filtered into a common set of standards and common nomenclatures, and fed to a group of trusted partners and sources.

With Threat Intelligence and Threat Intelligence sharing as core competencies, your organization can employ a centralized platform with Palisade®, which integrates into your present security infrastructures to deliver enterprise-wide visibility, awareness and alerting capability.

By focusing on Threat Intelligence and the collaboration behind such activities, your organization can go a long way to building a solid security posture where intelligence and actionable data is at the core of a proactive defense.

Read more

Recently, cybersecurity firm Darktrace announced an $18 million investment to hire new information security specialists in an effort to expand globally. According to Upstart Business Journal this investment represents a cash infusion in a woman-led cybersecurity company with a history of hiring female IT specialists. The result of this major infusion, according to the online journal, could “pave the way for a more equally representative industry.”

I have been a vocal advocate of increasing the presence of women and minorities within the cybersecurity industry throughout my career. Resources are scarce within this industry and the opportunity to tap within a market as robust, hard-working and well-educated as women and minorities highlights the potential to solve this huge resource challenge.

More importantly, cybersecurity is in large part about intelligence gathering and ingenuity. These two features blossom from a diverse infrastructure made up of varied backgrounds, educations, and cultures. It is my humble opinion that together as a heterogeneous workforce we are better equipped to solve the future challenges that APTs and hackers present.

In an industry like cybersecurity where only 11 percent of the information security workforce is female, there is plenty of room to grow. According to Virginia-based non-profit Women's Society of Cyberjutsu, 25 percent in the tech sector are women. The fact that only 11 percent are in cybersecurity presents a golden opportunity to grow this industry aggressively to meet the demands of future resources.

Make a Difference in Cybersecurity

One question that I commonly get asked in cybersecurity is, “how can we make a difference in cybersecurity and against cyber threats?” Supporting the education and hiring of women and minorities in cybersecurity is often my answer.

By flooding this sector with these groups of talented individuals, we can take larger strides as a society to bring better awareness of cyber-related issues such as insider threats, phishing campaigns, viruses, malware campaigns and denial of service attacks. All these issues require as much communication, awareness and training as we can provide. The dialog for supporting and advertising the education and hiring of women and minorities brings these cyber threats to the forefront in America, not only at the water coolers and coffee machines at work, but at the dinner tables at home, which is where this awareness of cybersecurity really needs to happen.

A common follow-up question to my answer is often “how can we make a difference in the education and hiring of women and minorities in cybersecurity?” The simplest answer is get involved.

Attend events like the National Women in Cybersecurity Conference (WiCyS) that took place in Atlanta, GA earlier this year. You can also become a member of their online community Women in Cybersecurity – WiCyS.

Another way to get involved is by working with your local high schools and universities to get cybersecurity further engrained with women and minorities in a STEM (Science, Technology, Engineering and Match) conversation. By vocally participating within these and other initiatives, you can make a big difference in thwarting the effects of cyber attacks while creating more opportunities for women and minorities within the cybersecurity field.

Read more

Ever get the feeling that your business-as-usual (BAU) mentality might get you into trouble? If you do and you’re in cybersecurity, you’re not alone. This feeling is not without good cause; organizations are not prepared to deal with severe and frequent cyber-attacks.

Lockheed Martin recently sponsored a Ponemon Institute survey of 678 US IT and IT security practitioners who are familiar with their organizations’ defense against cybersecurity attacks, and have responsibility in directing cybersecurity activities. When asked about the challenges to achieving a strong cyber defense, 75 percent of respondents say they see an increase in the severity of cyber attacks experienced by their organizations and 68 percent of respondents say they are more frequent. However, a smaller percentage of respondents (53 percent) say launching a strong offensive against hackers and other cyber criminals is very important to their organizations’ security strategy.

These survey results beckon the question that has evolved as the conversation has become within our organizations, are the investments we’re making in corporate America truly protecting us against today’s sophisticated adversaries? Another way to look at it is to ask “how can we be sure that the measures in place will protect us, or only provide a false sense of cybersecurity?”

In order to answer these questions, organizations need to avoid three common BAU-associated pitfalls.

#1: Alerts equal security:

“Things that go bing” is another way of phrasing this common pitfall. Security Operation Centers often seem packed with technology that are meant to alert us when bad things are happening. Traditionally organizations have bought (literally bought) into the idea that there is a mix of technologies that can be plugged into the network to find all the potential issues. So they invest heavily in tools “that go bing” to defend their network. This is what we call a vendor-driven response model.

To avoid this pitfall, understand that there’s no such thing as a silver bullet for cybersecurity, you can’t buy your way out of insecurity, and the traditional set-it-and-forget-it approach doesn’t work.

#2: Nightlight equals security

A short disclaimer: your staffing plan is up to you, and we’re not saying that you need 24x7 staffing. In fact, 24x7 staffing doesn’t always mean you’re covered. Often paying a person to stare at glass overnight can cause an organization to overestimate their security maturity. In avoiding this pitfall, ask yourself:

a) Do we have enough skilled cyber analysts to fill a 24x7 staffing plan?
b) Is the staff manning each shift equipped and qualified to react and mitigate threats, or are they serving as a manual escalation trigger to alert key staff?
c) Can technology be tuned and customized to alert and escalate when key events are detected?

#3: The pre-existing framework equals security

Some organizations believe that the process of reacting to alerts is a framework. Essentially they wait for something bad to happen and then react. So whether this is a planned strategy or just the reality of your current operations – not having an evolved, sustainable and scalable framework is a pitfall that plagues many organizations.

In mitigating this process, make sure you flesh out the processes behind how the technology and people aspect of your security will function. Map your tech environment, document roles and relationships, research and mirror other frameworks, and educate and train your staff to follow and understand your framework.

Most importantly, acknowledge that a framework in and of itself does not equate to security. It should be merely seen as a map that leads to a more secure posture. Your job should be to ensure that you’re map is as detailed and robust as possible so that you’re cybersecurity approach doesn’t get lost in the woods.

In many ways we can never fully avoid the feelings associated with a business-as-usual (BAU) mentality. But by following these tips, we can avoid three common pitfalls associated with BAU thinking and remove much of the threat of cyber-insecurity.

Read more

Advanced Persistent Threat (APT), as a term, is perhaps over-used in cybersecurity. Like the Boogie-Man that strikes fear into the minds and hearts of children at night, APTs work just as hard to ensure that CISOs and CIOs never rest easily. But just like the Boogie-Man, the trick to not being afraid of APTs is to understand them. Unfortunately, understanding APTs isn’t as simple as a bed time story.

The first signs of APTs came from targeted, socially-engineered emails dropping Trojans designed for exfiltration of sensitive information. They were identified by UK and US CIRT organizations in 2005. Although the name "APT" was not used, the attackers met the criteria that determines an APT. The term "advanced persistent threat" is cited as originating from the Air Force in 2006 with Colonel Greg Rattray.

Another complexity to understanding APTs are their definition and identifiable characteristics. The internet is filled with different definitions and varying character-traits that can often make this step confusing and ambiguous. One popular definition on the Internet of an APT sums up the definition of an APT nicely is:

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies and political activists. The use of the term APT seems to be growing with the rising number of APT-related attacks, which according to a PC World story from a couple of years ago, noted 81 percent increase from 2010 to 2011 of APT attacks.

In a book released a couple of years ago called Reverse Deception: Organized Cyber Threat Counter-Exploitation, the authors define the following APT criteria:

  • Objectives – The end goal of the threat, your adversary
  • Timeliness – The time spent probing and accessing your system 
  • Resources – The level of knowledge and tools used in the event (skills and methods will weigh on this point) 
  • Risk tolerance – The extent the threat will go to remain undetected 
  • Skills and methods – The tools and techniques used throughout the event 
  • Actions – The precise actions of a threat or numerous threats 
  • Attack origination points – The number of points where the event originated
  • Numbers involved in the attack – How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
  • Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)

Even though Advanced Persistent Threats play a strong role in cybersecurity planning, especially for large organizations, a lot of the fear and feeling of uncertainty about them can be eliminated by a simple understanding of what they are and what their pattern of attack typically looks like. Although the solution to removing the fear is never as simple as checking your closet, or server, at night before leaving, understanding the threat and partnering with an organization like Lockheed Martin can make your networks more secure.

Read more