Join us for Security BSides Boston 2016

Friday, May 20 2016 (Training)
Saturday, May 21 2016 (Conference)

Follow BSidesBoston on Twitter:
#BSidesBOS
@BsidesBoston
@MicrosoftNERD
Questions: help@bsidesboston.org

When:

Friday, May 20th, 2016, TBD (Training)Saturday, May 21st, 2016, 9am – 6pm (Conference)
Saturday, May 21st, 2016, 9am – 6pm (Conference)

Where:

Microsoft NERD, 1 Memorial Drive, Cambridge, MA

Hotel Room Block:

TBD

Cost:

$20 (This is to ensure that you are coming)

How:

Look for tickets in the spring!

Call For Presenters:

CFP submissions ->  https://goo.gl/25jV8d  <- Submit here!
March 21: CFP closes
April 21: Agenda posted
May 21: Conference happens, the world changes for the better

Agenda:

TBA on April 21

Keynote Speakers:

We are planning to actually have TWO keynote speakers at BSides Boston this year. We are very excited to announce:

Careers in Cyber Security is the theme of this meeting. The most pressing problem in security is for sure the lack of qualified people to fill the number of open roles.

If you or your firm are looking for people to hire, this session is for you. If you are looking for a new and better role in 2016, this session is for you.
 

Gabriella Coleman

 
Gabriella Coleman

Gabriella (Biella) Coleman holds the Wolfe Chair in Scientific and Technological Literacy at McGill University. Trained as a cultural anthropologist, she researches, writes, and teaches on computer hackers and digital activism. Her first book Coding Freedom: The Ethics and Aesthetics of Hacking has been published with Princeton University Press.

Her second book, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous, published by Verso, has been named to Kirkus Reviews’Best Books of 2014 and has been awarded the 2015 American Anthropological Association’s Diana Forsythe Prize granted by the Society for the Anthropology of Work (SAW) and the Committee on the Anthropology of Science, Technology and Computing. (@biellacoleman)

 

Mudge

 
Mudge

Peiter Zatko, better known as Mudge, is a computer and network security expert, open source programmer, writer, and a hacker. He ran one of the most famous hacker think tanks, the l0pht, and famously testified to the US Senate about catastrophic vulnerabilities within critical infrastructure in 1998.

Mudge has contributed significantly to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, the security work he released contained early examples of flaws in the following areas: code injection, race condition, side-channel attack, exploitation of embedded systems, and cryptanalysis of commercial systems. He was the original author of the password cracking software L0phtCrack.

In 2010 Mudge accepted a position as a program manager at DARPA where he oversaw cyber security R&D, and re-built the Agency’s approach to cyber security research. In 2013 Mudge went to work for Google and was Deputy Director of their Advanced Technology & Projects division.

He is the recipient of the Secretary of Defense Exceptional Civilian Service Award medal, an honorary Plank Owner of the US Navy Destroyer DDG-85, and was inducted into the Order of Thor, the US Army’s Association of Cyber Military Professionals.


Sponsors include:

 

 

Towerwall-ProtectingDataIntegrity




 

For more information, click here >

 

 

5 Information Security Trends for 2016

Online security trends continue to evolve.

This year, online extortion will become more prevalent. We also expect that at least one consumer-grade IoT smart device failure will be lethal.  Ransomware will make further inroads, since the majority go unreported. China will drive mobile malware growth to 20M, and cybercrime legislation will take a significant step towards becoming a truly global movement.

Here are five information security trends on track for the New Year:

 

ONLINE EXTORTION WILL BE MORE PREVALENT IN 2016.

In the past, cyber extortionists used ransomware to coerce victims into paying ransoms by playing upon their fears about viruses: locking their screens and requiring payment to regain access; using police trojans to threaten them with arrests for fabricated violations; or stealing data and holding it for a lucrative ransom.

Future cyber extortion will be personalized for an end user or enterprise. New social engineering lures will cause businesses to fall for elaborate tricks. There will also be a major increase in successful methods for persuading employees to transfer money into cybercriminal-controlled accounts.

 

THE INTERNET OF THINGS MAY HARM SOMEONE.

Public interest in connecting devices and appliances to the Internet will increase even though users are becoming increasingly aware of the security risks. Smart-connected home device shipments are projected to grow at a compound annual rate of 67 percent in the next five years, and are expected to hit almost 2 billion units shipped in 2019—faster than the growth of smartphones and tablet devices.

While there are no signs of a possibility of a large-scale hacking attack, the likelihood that a failure in consumer-grade smart devices will result to physical harm is greater, and a fatality is an eventuality.

 

CHINA WILL DRIVE MOBILE MALWARE GROWTH AND GLOBALLY, MOBILE PAYMENT METHODS WILL BE ATTACKED.

Unregulated third-party platforms and channels in China that offer free app downloads (75 percent of which contain malware) will continue to affect users in China. While Google Play (which has less than 1 percent harmful apps) is available in China, it reaches only 21 million of the estimated 800 million Chinese mobile users.

This environment will create exponential growth of mobile malware at an unprecedented rate that’s projected to reach 20 million by the end of 2016.

Despite the slow adoption rate of Google Play in China, the introduction of next generation mobile payment systems will inspire cybercriminals to steal information from new payment processing technologies like EMV credit cards, contactless RFID credit cards, and mobile wallets like Apple Pay and Google Wallet.

In 2016, the improved security brought by these modes of payment will be challenged by cybercriminals.

 

DATA PROTECTION OFFICERS ARE A NECESSITY, BUT LESS THAN 50% OF ORGANIZATIONS WILL HAVE THEM BY THE END OF 2016.

The EU Data Protection directive will require a high standard of data protection, and the role of the DPO will be vital in ensuring data integrity and compliance with the regulations of countries where company data storage occurs.

DPOs will begin to make use of threat intelligence and state-of-the-art security solutions that will enable them to move out of a passive “defense” mode into an active “attack” mode.

 

CYBERCRIME LEGISLATION WILL EMBRACE GLOBALIZATION.

Governments and authorities will become more responsive to cyber offenses, as evidenced by the continued arrests and sentencing of various cybercriminals.

Last year, law enforcement agencies took down the hacking forum Darkode, the SIMDA botnet and multiple servers of the online credential-stealing DRIDEX botnet. We will also see enhanced international cooperation, as spearheaded by major regions like the US and Europe, in their recent data-sharing agreement on investigations.

The Internet has operated with very lax regulations for years. 2016 will see a significant shift in the mindset of governments and regulators to take on a more active role in protecting the Internet and safeguarding its users. Cybercrime laws will be in discussion, and changes to outdated cybersecurity standards will be made to bolster an improved stance on security.

 

This article was originally published on Tripwire.com 

Title image courtesy of ShutterStock

10 Things I Know About Business Security

10. Everything is connected.

As the Internet of Things adds more and more devices to our networks, it creates more doors and windows for cyber criminals. Keep them locked.

9. Ransomware is on the rise.

If you don’t want to end up paying to access your own data, then make sure that you protect it properly and back it up regularly.

8. Take care in the cloud.

You need to have a clear picture of cloud services in use and put your cloud providers to the test to ensure that they meet your security standards.

7. Be wary of software.

Open source and off-the-shelf software often contains known vulnerabilities that make it easy for attackers to get your data. Do your homework and choose wisely.

6. Always encrypt.

Encryption should be mandatory for all of your data in transit and, ideally, at rest as well. Make it more trouble than it’s worth for attackers.

5. Control access.

If someone doesn’t need access to a file for their work, then they shouldn’t have it. A proper system of permissions backed by authentication can protect your business.

4. Log everything.

A complete audit trail that establishes who accessed what and when can help you identify suspicious activity in real-time and trace the root of any problem that arises.

3. Educate and enforce.

Create a security policy that educates employees about suspicious emails, smart password use, phishing and social engineering. Install automated protections, because tricking people is still the easiest way in for criminals. Ensure that systems and employees properly implement security procedures.

2. Test your defenses.

You can spend as much as you like on a security system, but you won’t know how well it works until you put it to the test. Third-party experts will help you find gaps and tighten things up.

1. Stay up to date.

Most data breaches occur after known vulnerabilities are exploited. A stringent policy of patching and updating makes things much tougher for cyber criminals.

 

This article was originally posted in the Worcester Business Journal

Join us for the ISSA New England Virtual Chapter Meeting – January 21, 2016

The ISSA of New England’s 2nd annual virtual chapter meeting will be on: Thursday, January 21 at 12:00 Noon. ( Yes, while you eat lunch you can join us online. )

Careers in Cyber Security is the theme of this meeting. The most pressing problem in security is for sure the lack of qualified people to fill the number of open roles.

If you or your firm are looking for people to hire, this session is for you. If you are looking for a new and better role in 2016, this session is for you.

RSVP today: https://attendee.gotowebinar.com/register/2781460225400291586

 


 

Presentations include:

Candy Alexander on the Cyber Security Career Lifecycle

http://www.issa.org/?page=CSCL

meet-ciso

The Cyber Security Career Lifecycle ( CSCL ) , sponsored by ISSA, is to empower cybersecurity specialists to drive the destiny of the profession. The CSCL is:

  • A program to enable professionals to steer their individual career paths by providing guidance and resources needed to achieve their long-term career goals.
  • CSCL is divided into 5 stages, with the opportunity for a variety of paths within each level
  • Task force Work Products include:
    • Analyses of career paths, resources and opportunities
    • Skills and career level assessments

 

Candy is the Chief Architect of the ISSA’s Cyber Security Career Lifecycle (CSCL). The CSCL enables members to self-identify where they are within their career, analyze their knowledge, skills and aptitude strengths and areas to improve upon in order to success and progress in their career. Candy is a Member of the ISSA Hall of Fame and the International Board of Directors – starting in 2000 through the present day.

 

Deidre Diamond on Why is finding a place to work that you love so hard?

 

deidre-diamond

Cyber Security is short 1M professionals, yet finding a job that’s a great fit is overwhelming and stressful. Let’s talk about how to find a job that creates more enjoyment while also discussing what’s happening overall in the cyber security job market.

Deidre Diamond is the Founder and CEO of the national cyber security staffing company Cyber Security Network (CyberSN.com) and the Founder of not-for-profit thought leadership platform #brainbabe (brainbabe.org). Prior to founding CyberSN and #brainbabe, Diamond was the VP of Sales for the national technical staffing company Motion Recruitment, the first VP of Sales at Rapid7 (NYSE:RPD) and the CEO of Percussion Software. Because Diamond herself was hired as an entry-level employee and trained to lead technology service organizations and cyber security software organizations, she believes the tech community needs to expand its awareness of what it means “to be in tech” and what it means “to be in cyber.” Diamond desires to achieve a new way of hiring and retaining women in cyber security.

 

Other speakers on careers are pending and will be added.


Sponsors include:

 

DigitalGuardian

KasperskyLab

ResilientSystems

Towerwall-ProtectingDataIntegrity




 

About ISSA

The Information Systems Security Association (ISSA) is an international organization providing educational forums, publications and networking opportunities to enhance the knowledge, skills and professional growth of its member information security professionals. The primary goal of ISSA Is to promote management practices that will ensure availability, integrity and confidentiality of organizational resources.

 

About ISSA New England

ISSA New England is one of the oldest and largest ISSA Chapters with about 300 members from a broad variety of New England organizations.

If you would like to contact any member of our Board of Directors, please refer to the following link: ISSA NE Board of Directors

 

 

 

The Worst Hacks of 2015

Hacking and data breaches weren’t just the norm, but they reached far and wide, hitting victims of all kinds, from regular consumers, to government employees, and even children and cheaters. It seemed like no one was spared.

The Worst Hacks of 2015…drum roll please!

  • Israel Government Allegedly Hacks Kaspersky Lab
  • The Massive Breach at OPM, The Hack That Keeps on Giving
  • Vigilante Hacker Hits Italian Spyware Vendor Hacking Team
  • Think of the Children: Toymaker- VTech Gets Hacked, Loses Parents’ and Kids’ Personal Data
  • Hackers Steal Social Security Numbers of 15 Million T-Mobile Customers
  • Hackers Dox Cheaters And Embarrass Infidelity Giant Ashley Madison
  • The Massive Healthcare Data Spillage

 

This article was originally posted on LinkedIn.

 

 

Building malware defenses: Control email, web browsers, and ports

Another staple in a series examining the Center for Internet Security’s best practices.

 

Our last article looked at applying Critical Security Controls 4, 5, and 6 to your organization, covering vulnerability assessment, administrative privileges, and audit logs. Now it’s time to move on to CSCs 7, 8, and 9.

Email programs and web browsers are still the most common points of entry for attackers, too many companies have woefully inadequate malware defenses, and a failure to control ports and limit services is like leaving a window open for cybercriminals.

 

Critical Control 7: Email and Web Browser Protections

Human behavior is still the path of least resistance for cybercriminals, and they often employ social engineering techniques to gain access to systems. Despite the rising profile of phishing, 23% of recipients open phishing messages and 11% click on attachments, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).

Dodgy attachments, spoof websites, and vulnerable plug-ins can all be used by attackers to gain a foothold.

It’s vital to ensure that web browsers and email programs are kept fully up to date. Don’t allow employees to use unsupported browsers or email programs, and prevent them from installing unnecessary plug-ins or add-ons. All URL requests should be logged, and you should have a filter in place that blocks access to unauthorized websites. All email attachments should be scanned and blocked if they are unnecessary for business.

Keeping tight control over web browsers and email like this doesn’t just reduce the risk of phishing, it also reduces spam and helps prevent wasted time.

 

Critical Control 8: Malware Defenses

There are five malware events every second, according to Verizon’s 2015 DBIR report, and malware can come into your system from all sorts of sources, including email, cloud services, web pages, smartphones, or even USB thumb drives.

It may not always be possible to detect it at the point of entry, but you can ensure that it’s detected and stopped before it can do too much damage by putting the right defenses in place.

Employing automated tools for real-time monitoring and threat assessment should be mandatory. You need malware defenses deployed throughout your system. Sadly, aPonemon Institute report found that only 41% of respondents had automated tools to capture intelligence and evaluate the true threat of malware, even though organizations with automated tools reported that they can handle 60% of malware containment without human intervention, saving a huge amount of time and resources.

It makes sense to limit the use of external devices, use network-based anti-malware tools that can pick malicious content out of the traffic flow, and ensure that updates for your defenses are automated.

Bear in mind that the expense of investigating malware incidents is high and inaccurate intelligence is common. Spend money on improving your intelligence and automated containment, and you won’t have to spend as much on security staff investigations.

 

Critical Control 9: Limitation and Control of Network Ports, Protocols, and Services

Configuration errors, remote access, and default services in newly installed software can leave a window open for would-be attackers. All of the ports, protocols, and services on all of your networked devices need to be properly managed. That means tracking them, controlling, and correcting them where necessary.

Your IT staff needs to have a clear picture of what is and isn’t needed. A clear configuration plan at the outset can save a lot of time spent fixing problems further down the line.

Scan ports, review services, and shut down anything that isn’t necessary for business operations. Make sure that you verify servers and put firewalls in place to validate traffic. These are simple vulnerabilities for attackers to exploit, but they’re also easy loopholes to close, so close them!

 

Don’t delay

Educate your employees on these issues and put the right systems in place to ensure they aren’t a weak spot for your organization. Remember to measure the effectiveness of your automated systems, and make sure you learn from mistakes and failures.

The most effective defense against phishing, malware, and vulnerability exploitations is a multi-pronged strategy that includes security expertise, educated staff, automated real-time systems, and clear, concise policies that are validated.

 

This article was recently published in Network World.

Image courtesy of The Alhambra, Granada, Spain Credit: Victor Cruz.