Tuesday, August 04, 2015

Aspiring Supervillian? Here's how to destroy the world - What I am reading 8/4/2015

Seclists.orgHacking Critical Infrastructure: A How-To Guide -

Cyber-aided physical attacks on power plants and the like are a growing concern. A pair of experts is set to reveal how to pull them off — and how to defend against them.
...
Scheduled to speak at the Las Vegas conferences are Jason Larsen, a principal security consultant with the firm IOActive, and Marina Krotofil, a security consultant at the European Network for Cyber Security. Larsen and Krotofil didn’t necessarily hack power plants to prove the exploits work; instead Krotofil has developed a model that can be used to simulate power plant attacks. It’s so credible that NIST uses it to find weakness in systems.
source

Ah, good, my plans for world domination can begin.

Infosec Institute - Cybersecurity Policy and Threat Assessment for the Energy Sector -

New cyber vulnerabilities in the energy infrastructure are discovered on a weekly basis which results in a vicious cycle where there is a constant struggle to patch up the newly emerging holes in the protective cloak.
The energy sector is up against two major cyber threats:
1) Vulnerabilities in the IT system employed for business and administrative purposes.
2) The operational technology (OT), that is, SCADA systems, specific software and other control technologies that are embedded into and operate power plants, transmission and distribution grids and pipelines.


This article kind of makes it seem like the energy sector is clueless but I can tell you for a fact that these issues get considered everyday People are aware and working to rectify these problems but it is a massive task and one that can't be accomplished overnight.

SANS - Clearer, More Stringent Cybersecurity Rules for Government Contractors (July 30, 2015) -

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment. 
-http://thehill.com/policy/cybersecurity/249752-white-house-wants-consistent-cybe
r-rules-for-contractors
-https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-18747.pdf

[Editor's Note (Pescatore): Many government RFPs, and probably most of the large ones, include FISMA requirements. The issue is not the requirements; it is the lack of assessing whether the contractor actually meets the requirements - same as the problem at Government agencies. The White House should look at the FedRAMP program, which has a consistent, well-thought-out way of defining, and more importantly assessing, the security of cloud service providers who want to do business with the Federal Government. ]
Network Computing - Networking Career: How To Make It To The Big League -
we recently found ourselves with a core networking position open, we put out the typical networking engineer job ad and started working through the screening and interview processes as applications came in. The person we ended up hiring was a bit surprising as his resume wasn’t the strongest. He also came from a small environment where he was a one-man soup-to-nuts IT shop unto himself, with a wide skillset that wasn’t all that deep. So how did our new guy land a network job that arguably was too big for him at the time of hiring?
Some good general purpose advice in the article.





Post a Comment