Siemens Lessons Learned: The Dangers of Default Passwords
Posted In Information Security, Risk Management on July 28th, 2010 Tags: malware, password management, SCADA, Security, Security Awareness, Siemens, Stuxnet
One of the first things security professionals recommend when you install new programs, systems or hardware is that you change the default password immediately. And, if a system has been breached or is vulnerable to a potential breach, most security professionals recommend your Users change their passwords as a precaution.
Now, what if the password was hard-coded into the system and could not be changed without throwing all systems into chaos and disrupting or halting operations?
And what if the default password for your software had been shared in online forums since 2008?
That would never happen, right…?
Unfortunately this is exactly what has happened to Siemens and their SCADA software. SCADA (supervisory control and data acquisition) software is commonly used in utilities and has become a popular target for hackers of all types. For example, Stuxnet malware is targeting Siemens SCADA software, searching for certain software and then applying the hard-coded password to access the access control database. Once this database is accessed the malware can steal information. Changing the passwords and blocking the malware’s attempts may create even bigger issues.
So, what are the lessons learned here?
1) Default passwords are and always will be a major vulnerability.
2) Passwords should not be hardcoded into a system.
3) Passwords should not be shared on online forums and if they are, the password should immediately be changed!
4) Changing passwords should not cause systems to stop working.
If you work in a utility or organization utilizing SCADA software…be aware and be prepared.
No Comments
CFOs Have Responsibility To Break Down Risk Management Silos
Posted In Business Continuity, Information Security, Regulatory Compliance, Risk Management on July 12th, 2010 Tags: CFOs, Cybercrime, Cybersecurity, DHS
Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime.
Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included:
“Cybercrime is not a problem that is growing, or coming, or off in the future. This is a problem right now.”
Mr. Schaffer also cited some statistics from reports and surveys:
- A single cyber breach costs companies an average of $6.75 million
- 27 countries have claimed to have experienced financial losses related to cybercrime
- In 2009, 30 million examples of new malicious software were released
Mr. Schaffer shared that there is a “disconnect” between corporate risk managers and information technology professionals. Mr. Schaffer also pointed out that most companies have kept risk management related to cybercrime in “a silo” within the IT department, rather than treating cybercrime as a risk the entire organization must address.
Mr. Schaffer had this advice too… because CFOs play an important role in enterprise risk management; CFOs have a responsibility to break down “silos” within an organization.
Do you have “silos” in your organization?
Of course you do! CFOs (along with CEOs, COOs, CROs, etc.) must become more proactive and prevention focused. CFOs must find better ways to break down silos and connect the dots before a cybercrime incident creates a huge hit on their bottom line.
No Comments
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Security, Legal, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
Supreme Court: You Can Spy on Employees if…
Posted In Information Privacy, Legal on July 2nd, 2010 Tags: policies and procedures, search, supreme court, text messages
Did you happen to notice the recent Supreme Court ruling that ruled in favor of employers having the right to check up on employee usage of mobile devices to protect their bottom line?
These days it is fairly common for organizations to equip their employees with mobile devices and pagers. But when employees are given a character allowance for texting and they go over the allowance, the organization is charged overage fees and this is where the ruling comes in.
In this court case, the employers were looking to get costs back in line and requested transcripts of the employee text messages to verify if the overage fees were necessary. What the employers found were lots of personal (some highly explicit) text messages being sent on company owned devices.
After several lower court rulings, the Supreme Court ruled that because the employers suspected that people were breaking the rules and using their mobile devices and pagers for non-business communications, the employers were justified in requesting and reading the text message transcripts.
But before employers get too excited…there are multiple lessons learned in this Supreme Court ruling, and employers do not have free reign. Employers must have clearly defined policies that spell out what employees can and cannot do on the clock and off the clock with company property. The employer’s dos and don’ts should include phones, laptops, etc. Employers must also communicate the policy to all appropriate employees to make sure they understand what the dos and don’ts include. Employers should also make sure managers and supervisors understand what steps they can and cannot take when it comes to keeping costs down and privacy rights cannot be invaded just for the sake of controlling costs.
Does your organization have the right policies in place with the right people? Would your policies and procedures hold up in a court ruling?
No Comments
Organizational Security: Is Your Door Wide Open?
Posted In Information Security on June 29th, 2010 Tags: dark reading, Security, Security Awareness, vulnerability assessment
Last Tuesday at about 2:00 AM, I woke up to the doorbell ringing and knocking on our front door. While I was initially a little startled, my next thought was, “Why isn’t our ferocious guard dog barking?”
When we answered the door, it was the local police department informing us that we had left our garage door wide open (welcoming in thieves and intruders). After overcoming our embarrassment and thanking the officer, I then had to check through the house to make sure there was no one hiding out in the basement. 
This incident got me thinking; you can have the best security system in the world, guard dog, alarm system, door locks, cameras, etc., but if you make one simple mistake like forgetting to shut your garage door after mowing the yard, your entire house (or system) is at risk.
A recent Dark Reading article also revealed that some of the biggest vulnerabilities organizations face can be the most obvious everyday things.
For example, the article listed several everyday dangers that are often overlooked:
- Network-attached devices
- Paper documents
- Passwords on post-its
- Portable storage devices
- Printers and fax machines
One of the article’s tips was to change the default password for devices attached to the network. While this tip seems like common sense, many organizations may find themselves at risk if they do not verify all devices are secure.
The article also revealed that many ’open doors’ can be found on employees’ unattended desks including:
- Security badges
- Entry cards
- Passwords
- Keyrings
- USB drives
So, how can you ensure your organization is not leaving doors open?
By providing ongoing training and situational awareness, you can help educate your employees on everyday risks and vulnerabilities. Employees (and third-parties) need to be made aware of new risks and threats and best practices for securing their environments. You should also establish policies and procedures for verifying devices are secured, passwords are secured, desks are cleared, etc. Once these policies and procedures have been created, you must also ensure they are communicated and acknowledged by all appropriate personnel and everyone understands their individual roles and responsibilities.
Are your employees leaving your organization’s doors wide open?
No Comments
Improving Campus Safety – Prevention and Intervention – Part 2
Posted In Emergency Management, Incident Reporting, School Safety, Workplace Violence on June 23rd, 2010
If you did not read Part 1…you may want to do so before reading Part 2.
During my EduComm presentation, I identified numerous school related incidents and lessons learned and multiple new ways to improve campus safety, reduce costs, protect reputations and save lives.
Then after reviewing multiple lessons learned I asked the group another question:
What does each of these well-documented incidents have in common?
- Columbine
- Virginia Tech
- Fort Hood
- University of Alabama-Huntsville
According to expert reviews and reports, each of these incidents could have been prevented.
Let me repeat….each of these incidents could have been prevented.
Each of these incidents could have been prevented had the organizations implemented Prevention and Intervention Plans with tools/systems to ensure incident reporting, red flag management, proactive action teams (prevention, intervention, behavior analysis, threat assessment, etc.) and documentation resources were accessible on-demand.
If your goal is to improve safety on your campus or within your organization or across your community, isn’t it better to prevent incidents from happening at all?
Based on lessons learned and based on costs, lawsuits, reputation damage, emotional damages and loss of lives, my guess is that if each of these organizations (and numerous others) had the opportunity for a do over, they would all vote for preventing their incident rather than reliving their incident.
Does your organization have the right tools to connect the dots and prevent incidents from happening?
No Comments
Improving Campus Safety – Prevention and Intervention – Part 1
Posted In Emergency Management, Incident Reporting, Risk Management, School Safety, Workplace Violence on June 21st, 2010 Tags: Campus Safety, crisis management, EduComm, Intervention, Prevention, Virginia Tech
Just recently, I had the honor of presenting at the EduComm 2010 conference in Las Vegas. The title of my presentation was ‘Connecting the Dots to Improve Campus Safety’ and was selected as a featured presentation.
Presenting at conferences is definitely one of my favorite things to do. I get to share ideas, successes and lessons learned with other people who are coming from many different locations and I have the unique opportunity to ask questions and learn what challenges other people face.
During my presentation I asked the following questions:
How many of your organizations have a Crisis Management Plan?
(Everyone raised their hand)
How many of your organization have an Emergency Management Plan?
(Everyone raised their hand)
How many of your organizations have a Prevention/Intervention Plan?
(Only a couple people raised their hand)
WOW! You should have seen the faces of the attendees…and probably mine too.
This quick survey along with hundreds of other lessons learned continue to show that organizations are too focused on ‘reactive response plans’ rather than ‘proactive prevention actions’.
Maybe this explains why so many schools rushed out and purchased mass notification response systems after the Virginia Tech tragedy?
What do you think?
Should more schools invest in tools and systems for prevention and intervention efforts?
Stay tuned for Part 2…
No Comments
You Have an Emergency Notification System…OK, Then What?
Posted In Emergency Management, Incident Reporting, Risk Management, School Safety on June 17th, 2010 Tags: crisis management, Emergency Management, mass notification system, Social Networking
I recently came across a blog in Emergency Management Magazine discussing the need to use multiple forms of emergency notifications. Lessons learned and recent studies reveal that the public won’t likely take action unless they receive their directions from at least two trusted sources. A study on evacuations during the San Diego wildfires found that residents generally wouldn’t leave their homes until they had received confirmation from a second source (like the news or a personal contact).
Thankfully, in today’s networked environment, people have information coming at them from all sides (friends, media, online news, social networking sites, etc.) and will most likely be able to verify a threat if they receive initial notification. However, there is always that risk that an employee, friend, neighbor, student, etc. was not notified. Or their source was not credible or trusted? How can you ensure all individuals have received and verified an emergency notification?
And, once an individual does understand there is a threat (violence, natural disaster, etc.), then what? Where should they go? What do they need to do? Should they notify others?
Emergency mass notification systems are only effective if each and every individual sending and receiving the alert is fully aware of specific policies, procedures, roles and responsibilities – people must understand what they HAVE TO DO and NEED TO DO if an incident occurs.
Lessons learned have shown that many safety and security programs do not put enough emphasis on the implementation of crisis management plans, emergency plans, code of conduct manuals, staff procedures manuals, SOPs and other processes after organizations have spent time and money performing assessments, performing general training, purchasing mass notification technologies and developing their plans, procedures and policies.
It is critical for organizations to implement Lessons Learned at the individual-level to prevent and prepare for future incidents. Organizations need to ensure that all procedures, plans, guidelines, etc. have been assigned to all appropriate personnel (faculty, students, employees, law enforcement, board members, vendors, contractors, third-parties, etc.) and that all personnel have acknowledged and understand their roles and responsibilities before, during and after an incident occurs.
No Comments
Are You Aware of TSA’s Bad Attitude and Bad Flyers List?
Posted In Human Resources, Incident Reporting, Workplace Violence on June 14th, 2010 Tags: pushy flyers, TSA
Did you see the article in the USA Today last week regarding TSA keeping a database of pushy flyers?
The pushy fliers program was launched in 2007 to help prevent the nation’s 50,000 airport screeners from being attacked or threatened. TSA officials voiced concern about passengers disrespecting screeners so they began issuing new uniforms with police style badges pinned to shirts. According to the article, the database has records from about 240 incidents and most are screeners in conflict with other screeners and 30 incidents involve passengers or airport workers attacking or threatening screeners.
Based on my experiences leaving a New York area airport this week, I understand why 8 times more incidents are screeners in conflict with other screeners. And based on my experiences, I am also curious if TSA has started creating a database of TSA screeners that disrespect passengers?
These New York area TSA screeners seemed more interested in being bossy than screening passengers to ensure safety and security. Maybe it’s the uniform and the pin on badge? Maybe the uniforms are the problem?
Maybe the uniforms make TSA scanners behave like control freak umpires – like Cowboy Joe West and Bossy Bill Hohn – both are major league baseball umpires that forgot about their real job responsibilities because they were too busy trying to be in control. MLB announced they were going to address Bill Hohn “in a very stern way”…perhaps lessons learned from the TSA database and lessons from MLB will help TSA address what seems to be a growing problem?
Passengers deserve respect and passengers deserve TSA scanners that put their roles and their responsibilities before their attitudes and personal control issues.
I wonder if organizational leaders are paying attention to these lessons learned when they travel? Or as organizational leaders watch TV and see all the negative feedback on umpires?
Organizational leaders must quickly realize that connecting the dots includes all types of dots – every good, bad and bossy individual must be connected to the organization’s culture and be accountable for their roles, responsibilities, obligations and decisions.
Did your organization use these lessons learned to achieve better results with your passengers, fans, customers and partners?
No Comments
Marketing Security as a Competitive Advantage
Posted In Information Security on June 7th, 2010 Tags: BankInfoSecurity, Joseph Menn, Security
The title above was a title from an interview with author/journalist Joseph Menn that I saw on BankInfoSecurity.com. Mr. Menn suggests it is time for banking institutions to start marketing their security and protective measures as competitive advantages.
Mr. Menn went on to say, “They should put serious security in place – and advertise it. Get this competition going on the basis of security. That will gain them customers, in my opinion.”
My question is this…I wonder what Mr. Menn thinks banks should be doing to “put serious security in place”? Is it just me or do we have a lot of authors and journalists pretending they have the answers when they say things like “they should put serious security in place”?
What do you think “serious security” is?
What do you think the process is to “put serious security in place”?
Comments (2)
