Risk

Refrigerator Spam And Other Tall Tales: The Enterprise IoT Risk

On Thursday, I will chair an excellent discussion of security and the Internet of Things at the Qualys Security Conference (QSC) in Las Vegas. The discussion has the working title “Refrigerator Spam and Other Tall Tales: Assessing the Real Internet of Things Risk for Your Organization.“  As the title suggests, we’ll be disclaiming the FUD (fear, uncertainty and doubt) that surrounds much of the IoT and security space, while also highlighting the real risks that more and diverse connected devices pose to enterprises. I’ll be joined on stage by some truly exceptional minds. Among them: Danny McPherson, the Senior Vice President and Chief Security Officer at Verisign and Jonathan Trull, Chief Information Security Officer, Qualys. (Jon was our guest at the first Security Ledger/Invincea CISO hangout last week.). On stage with us will be Chris Rezendes, the President of INEX Advisors and one of our moderators at The Security of Things Forum.  We’ll also be joined […]

Continue Reading

White House Cyber Chief: JP Morgan Underscores Critical Infrastructure Risk

The White House’s cyber security czar, Michael Daniel, said the Obama Administration is deeply concerned about the reported hack of systems belonging to banking giant JP Morgan Chase & Co. but sees the incident as part of a larger trend of attacks against U.S. critical infrastructure. Asked about the targeted attack against JP Morgan and other banks and financial institutions, Daniel said that the White House was concerned, but not surprised by the incident. “We have watched for several years the trend of malicious actors in cyber try to figure out how to target critical infrastructure,” he said. “Financial services is critical infrastructure.” The White House was concerned that a major U.S. bank would fall victim to hackers, but sees it in the context of a “broad trend,” rather than an isolated incident, he said. Speaking with Michael Farrell, the Cybersecurity Editor at Christian Science Monitor, Daniel hit on many of the now-common talking […]

Continue Reading

Supply Chain Risk: Raspberry Pi Device Used for War Shipping

An interesting post on supply chain security over at Security Affairs. The post looks at a new approach to supply chain surveillance (and, presumably, attacks): ‘war shipping.’ War shipping is, of course, a play on the ‘war driving’ scene from the early days of consumer wifi, in which cars outfitted with antennae would canvas whole cities, documenting open wi-fi hotspots that could be used to grab some free Internet. In this case, Security Affairs notes a shippable board-sized package designed by security expert Larry Pesce of Paul’s Security Weekly (fka Pauldotcom). The device can be contained in a standard UPS shipping box and delivered to a target network to passively surveil or even attack it. The kit is built on a Raspberry Pi b_ with an AWUS051NH wireless card, a cheap battery charger, kismet and custom software. Pesce demonstrated the device at Derbycon, a Louisville, Kentucky based event last month. The device includes both […]

Continue Reading

Europol Warns of Internet of Things Risk

In a newly released report, Europol’s European Cybercrime Center (EC3) warns that the growth of the Internet of Things (IoT) threatens to strengthen the hand of organized cyber criminal groups and make life much more difficult for police and governments that wish to pursue them. EC3’s latest Internet Organized Crime Threat Assessment (iOCTA) says the “Internet of Everything” will greatly complicate the work of law enforcement creating “new opportunities for everything from cyber criminals to state actors to child abusers. The growing numbers of connected devices will greatly expand the “attack surface” available for cyber criminal activity, the EC3 warns. Cyber criminals may co-opt connected devices for use in common criminal activity (like denial of service attacks and spam campaigns). However, advancements like connected (“smart”) vehicles and infrastructure create openings for large scale and disruptive attacks. The report, which was published late last months, is a high level position paper and pulls data mostly […]

Continue Reading

FDA Issues Guidance on Security of Medical Devices

The U.S. Food and Drug Administration (FDA) issued final guidance on Wednesday that are designed to strengthen the safety of medical devices. The FDA called on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” asks device makers to submit documentation to the FDA about any “risks identified and controls in place to mitigate those risks” in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. The document, which will be released on Thursday, does not contain specific requirements. Rather, it describes the kinds of things that medical device manufacturers should consider when preparing pre-market submissions for medical devices in areas such as information confidentiality, integrity, and availability, the FDA said. The release of the document follows the […]

Continue Reading
1 17 18 19 20 21 36