Public-key cryptography and related standards and techniques underlie security features of many Red Hat products, including signed and encrypted email, form signing, object signing, single sign-on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public-key cryptography.
Link to Tutorial
This blog is a basic tutorial covering encryption algorithms and keys, hashes, digital signatures and certificates, and more.
Link to Primer
Link to Video
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States. Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems
Link to NIST Publication 800-160
With no shortage of threats, from nation-states and hacktivists to terrorists and cybercriminals, the necessity of a globally connected infrastructure becomes a liability. How prepared are governments and organizations to thwart attacks? Are we doing all we can to ensure the safety of our critical infrastructures? What does the future hold? Surveying over 25 OAS member states representing government agencies and critical industries, Trend Micro and OAS address these questions in this report.
The 500 respondents emphasized a dramatic increase in the sophistication of cyber attacks. Most troubling, was the ominous phenomenon depicted by the dramatic increase in destructive attacks - cyber attacks, which were intended to 'delete or destroy' backend systems. There exists a clear and present danger, one which illustrates the dramatic evolution of cyber capabilities possessed by non-state actors groups in the region.
Link to Trend Micro OAS Report
Critical Infrastructure Report
Reports show that in 2014, there were 245 million surveillance cameras operating around the world. And this only accounts for the professionally installed ones. There are likely millions more that were installed by unqualified professionals, with even fewer security precautions. These numbers, and the lack of cybersecurity awareness on the part of many camera owners, are the reasons why CCTV botnets are some of our oldest foes.
Link to Incapsula Article
For many businesses, the next wave of innovation and growth will likely involve intelligent analytics, rich mobile experiences, and 'one touch' processes that require no further manual intervention. Success will depend on maintaining trust: consumers and business customers alike will accept nothing less than a complete assurance that the companies they engage with protect their highly sensitive data carefully in the hyperconnected information systems powering the digital economy.
Link to McKinsey Report
What are the most critical areas to address and how should an enterprise take the first step to mature their risk management program? Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a road map of fundamentals, and guidance to measure and improve? Which defensive steps have the greatest value? These issues drive the CIS Security Controls. The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state.
Link to CIS Download Page
By Raluca Ada Popa & Nickolai Zeldovich | Despite massive efforts to guard sensitive data, hackers often manage to steal it anyway. It's a problem that's becoming especially acute, now that huge amounts of information are being concentrated on the servers of various cloud service providers. Most times we don't even know where these machines are located; how can we possibly feel that our data is safe with them? Here's one way: Encrypt the data before it's stored. That way, even if attackers manage to break into the cloud provider's system and steal data, they'll just get meaningless gibberish.
Link to IEEE Article
In Sept. 2014, a vulnerability known as Shellshock (also known as Bashdoor) was discovered and disclosed. And that's potentially big news for organizations who operate, maintain or otherwise use Linux-based security equipment - which can now be considered vulnerable to hackers.
Link to Complete Article
These documents can help you with everything from setting up your first computer to understanding the nuances of emerging threats.
Link to DHS CERT Publications List
Companies developing IoT products should implement reasonable security. First, companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products. Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization. Third, companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers. Fourth, when companies identify significant risks within their systems, they should implement a defense-indepth approach, in which they consider implementing security measures at several levels. Fifth, companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer's device, data, or even the consumer's network. Finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
Link to FTC Report
Link to FTC's Advice for Business
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations from the CERT Program, part of Carnegie Mellon University's Software Engineering Institute, based on an expanded database of more than 700 insider threat cases and continued research and analysis. Each practice lists several recommendations that organizations of various sizes should implement immediately to mitigate (prevent, detect, and respond to) insider threats.
Link to Guide
The dramatic increase in computer-related crime requires prosecutors and law enforcement agents to understand how to obtain electronic evidence stored in computers. Electronic records such as computer network logs, email, word processing files, and image files increasingly provide the government with important (and sometimes essential) evidence in criminal cases. The purpose of this publication is to provide Federal law enforcement agents and prosecutors with systematic guidance that can help them understand the legal issues that arise when they seek electronic evidence in criminal investigations.
Link to Manual
The ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management). As with the above topics, the 27000 series will be populated with a range of individual standards and documents.
Link to Directory Web Site
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long-term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. NERC's area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the electric reliability organization for North America, subject to oversight by the Federal Energy Regulatory Commission and governmental authorities in Canada. NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people. This section links to NERC's Cyber Security standards.
Link to NERC Directory
Federal facilities contain building and access control systems -computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning - that are increasingly being connected to other information systems and the Internet. The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies' ability to carry out their missions, or cause physical harm to the facilities or their occupants.
GAO's objective was to examine the extent to which DHS and other stakeholders are prepared to address cyber risk to building and access control systems in federal facilities.
GAO recommends that DHS (1) develop and implement a strategy to address cyber risk to building and access control systems and (2) direct ISC to revise its Design-Basis Threat report to include cyber threats to building and access control systems. GAO also recommends that GSA assess cyber risk of its building control systems fully reflecting FISMA and its guidelines. DHS and GSA agreed with the recommendations.
Link to GAO Report
Cyber threats constantly evolve with increasing intensity and complexity. The ability to achieve mission objectives and deliver business functions is increasingly reliant on information systems and the Internet, resulting in increased cyber risks that could cause severe disruption to a company's business functions or operational supply chain, impact reputation, or compromise sensitive customer data and intellectual property.
This document provides key questions to guide leadership discussions about cybersecurity risk management for your company, along with key cyber risk management concepts.
Link to DHS Document
Home routers have become an integral part of our modern society as our use of the internet has grown to include business from home, schoolwork, social networking, entertainment and personal financial management. Wired and now wireless routers have moved into our homes to facilitate this additional connectivity. The internet service provider (ISP) sells these devices preconfigured and ready to use. Users typically connect immediately to the internet without performing any additional configuration. They may not know how to perform additional configuration because it either seems too difficult, or they may be reluctant to spend the time with advanced configuration settings. Unfortunately, the default configuration of most home routers offer little security and leave home networks vulnerable to attack. Small businesses and organizations that lack the funding for an information technology (IT) infrastructure and support staff often use these same home routers to connect to the internet. These organizations frequently also set up the routers without implementing security precautions and therefore are exposing their organization to attack.
Link to DHS Document
New technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance. Along with these benefits, vehicles are becoming more connected through electronic systems like navigation, infotainment, and safety monitoring tools. The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers' habits for commercial purposes without the drivers' knowledge or consent. To ensure that these new technologies are not endangering or encroaching on the privacy of Americans on the road, Senator Edward J. Markey (D-Mass.) sent letters to the major automobile manufacturers to learn how prevalent these technologies are, what is being done to secure them against hacking attacks, and how personal driving information is managed. This report discusses the responses to this letter from 16 major automobile manufacturers
Link to Markey Report
Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals. Regin has a wide range of standard capabilities, particularly around monitoring targets and stealing data. It also has the ability to load custom features tailored to individual targets. Some of Regin's custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of the developers. Regin is capable of installing a large number of additional payloads, some highly customized for the targeted computer
Link to pdf
Link to Symantec Blog
Developing an Industrial Control Systems Cybersecurity Incident Response Capability
Industrial control systems, like traditional business information systems are coming increasingly under attack by a variety of malicious sources. These range from hackers looking for attention and notoriety to sophisticated nation states intent on damaging equipment and facilities. Included in this mix are disgruntled employees, competitors, and even friendly sources that inadvertently bring malware onto a site. This document will present recommendations to help those facilities that use control systems better prepare for and respond to a cyber incident regardless of source. The document also suggests ways to learn from incidents and to strengthen the system against potential attacks. The document includes accepted methods and approaches from tradition information technology, but is primarily focused on the unique aspects of industrial control systems.
Link to DHS Document