Public-key cryptography and related standards and techniques underlie security features of many Red Hat products, including signed and encrypted email, form signing, object signing, single sign-on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public-key cryptography.
Link to Tutorial
This blog is a basic tutorial covering encryption algorithms and keys, hashes, digital signatures and certificates, and more.
Link to Primer
Link to Video
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions,
hazards, and other threats to federal, state, and local governments, the military, businesses, and
the critical infrastructure, the need for trustworthy secure systems has never been more important
to the long-term economic and national security interests of the United States. Engineering-based
solutions are essential to managing the growing complexity, dynamicity, and interconnectedness
of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including
the Internet of Things. This publication addresses the engineering-driven perspective and actions
necessary to develop more defensible and survivable systems, inclusive of the machine, physical,
and human components that compose the systems and the capabilities and services delivered by
those systems
Link to NIST Publication 800-160
With no shortage of threats, from nation-states and hacktivists to terrorists and cybercriminals, the necessity of a globally connected infrastructure becomes a liability. How prepared are governments and organizations to thwart attacks? Are we doing all we can to ensure the safety of our critical infrastructures? What does the future hold?
Surveying over 25 OAS member states representing government agencies and critical industries, Trend Micro and OAS address these questions in this report.
The 500 respondents
emphasized a dramatic increase in the sophistication of cyber attacks. Most
troubling, was the ominous phenomenon depicted by the dramatic increase
in destructive attacks - cyber attacks, which were intended to 'delete or
destroy' backend systems. There exists a clear and present danger, one which
illustrates the dramatic evolution of cyber capabilities possessed by non-state
actors groups in the region.
Link to Trend Micro OAS Report
Critical Infrastructure Report
Reports show that in 2014, there were 245 million surveillance cameras operating around the world. And this only accounts for the professionally installed ones. There are likely millions more that were installed by unqualified professionals, with even fewer security precautions.
These numbers, and the lack of cybersecurity awareness on the part of many camera owners, are the reasons why CCTV botnets are some of our oldest foes.
Link to Incapsula Article
For many businesses, the next wave of innovation and growth will likely involve intelligent analytics, rich mobile experiences, and 'one touch' processes that require no further manual intervention. Success will depend on maintaining trust: consumers and business customers alike will accept nothing less than a complete assurance that the companies they engage with protect their highly sensitive data carefully in the hyperconnected information systems powering the digital economy.
Link to McKinsey Report
What are the most critical areas to address and how should an enterprise take the first step to mature their risk management program? Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a road map of fundamentals, and guidance to measure and improve? Which defensive steps have the greatest value? These issues drive the CIS Security Controls. The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state.
Link to CIS Download Page
By Raluca Ada Popa & Nickolai Zeldovich
| Despite massive efforts to guard sensitive data, hackers often manage to steal it anyway. It's a problem that's becoming especially acute, now that huge amounts of information are being concentrated on the servers of various cloud service providers. Most times we don't even know where these machines are located; how can we possibly feel that our data is safe with them? Here's one way: Encrypt the data before it's stored. That way, even if attackers manage to break into the cloud provider's system and steal data, they'll just get meaningless gibberish.
Link to IEEE Article
In Sept. 2014, a vulnerability known as Shellshock (also known as Bashdoor) was discovered and disclosed. And that's potentially big news for organizations who operate, maintain or otherwise use Linux-based security equipment - which can now be considered vulnerable to hackers.
Link to Complete Article
These documents can help you with everything from setting up your first computer to understanding the nuances of emerging threats.
Link to DHS CERT Publications List
Companies developing IoT products should implement reasonable security. First, companies should build security into their devices at the outset, rather than as an
afterthought. As part of the security by design process, companies should consider:
(1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and
retain; and (3) testing their security measures before launching their products. Second, with
respect to personnel practices, companies should train all employees about good security, and
ensure that security issues are addressed at the appropriate level of responsibility within the
organization. Third, companies should retain service providers that are capable of maintaining
reasonable security and provide reasonable oversight for these service providers. Fourth, when
companies identify significant risks within their systems, they should implement a defense-indepth
approach, in which they consider implementing security measures at several levels. Fifth,
companies should consider implementing reasonable access control measures to limit the ability
of an unauthorized person to access a consumer's device, data, or even the consumer's network.
Finally, companies should continue to monitor products throughout the life cycle and, to the
extent feasible, patch known vulnerabilities.
Link to FTC Report
Link to FTC's Advice for Business
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most
current recommendations from the CERT Program, part of Carnegie Mellon University's
Software Engineering Institute, based on an expanded database of more than 700 insider threat
cases and continued research and analysis. Each
practice lists several recommendations that organizations of various sizes should implement
immediately to mitigate (prevent, detect, and respond to) insider threats.
Link to Guide
The dramatic increase in computer-related crime requires prosecutors and
law enforcement agents to understand how to obtain electronic evidence stored
in computers. Electronic records such as computer network logs, email, word
processing files, and image files increasingly provide the government with
important (and sometimes essential) evidence in criminal cases. The purpose of
this publication is to provide Federal law enforcement agents and prosecutors
with systematic guidance that can help them understand the legal issues that
arise when they seek electronic evidence in criminal investigations.
Link to Manual
The ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management). As with the above topics, the 27000 series will be populated with a range of individual standards and documents.
Link to Directory Web Site
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long-term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. NERC's area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the electric reliability organization for North America, subject to oversight by the Federal Energy Regulatory Commission and governmental authorities in Canada. NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people. This section links to NERC's Cyber Security standards.
Link to NERC Directory
Federal facilities contain building and
access control systems -computers
that monitor and control building
operations such as elevators, electrical
power, and heating, ventilation, and air
conditioning - that are increasingly
being connected to other information
systems and the Internet. The
increased connectivity heightens their
vulnerability to cyber attacks, which
could compromise security measures,
hamper agencies' ability to carry out
their missions, or cause physical harm
to the facilities or their occupants.
GAO's objective was to examine the
extent to which DHS and other
stakeholders are prepared to address
cyber risk to building and access
control systems in federal facilities.
GAO recommends that DHS (1)
develop and implement a strategy to
address cyber risk to building and
access control systems and (2) direct
ISC to revise its Design-Basis Threat
report to include cyber threats to
building and access control systems.
GAO also recommends that GSA
assess cyber risk of its building control
systems fully reflecting FISMA and its
guidelines. DHS and GSA agreed with
the recommendations.
Link to GAO Report
Cyber threats constantly evolve with increasing
intensity and complexity. The ability to achieve
mission objectives and deliver business functions
is increasingly reliant on information systems and
the Internet, resulting in increased cyber risks that
could cause severe disruption to a company's
business functions or operational supply chain,
impact reputation, or compromise sensitive
customer data and intellectual property.
This document provides key questions to guide
leadership discussions about cybersecurity risk
management for your company, along with key
cyber risk management concepts.
Link to DHS Document
Home routers have become an integral part of our modern society as our use of the internet has
grown to include business from home, schoolwork, social networking, entertainment and
personal financial management. Wired and now wireless routers have moved into our homes to
facilitate this additional connectivity. The internet service provider (ISP) sells these devices preconfigured
and ready to use. Users typically connect immediately to the internet without
performing any additional configuration. They may not know how to perform additional
configuration because it either seems too difficult, or they may be reluctant to spend the time
with advanced configuration settings.
Unfortunately, the default configuration of most home routers offer little security and leave home
networks vulnerable to attack. Small businesses and organizations that lack the funding for an
information technology (IT) infrastructure and support staff often use these same home routers to
connect to the internet. These organizations frequently also set up the routers without
implementing security precautions and therefore are exposing their organization to attack.
Link to DHS Document
New technologies in cars have enabled valuable
features that have the potential to improve driver
safety and vehicle performance. Along with these
benefits, vehicles are becoming more connected
through electronic systems like navigation, infotainment,
and safety monitoring tools.
The proliferation of these technologies raises
concerns about the ability of hackers to gain access
and control to the essential functions and features
of those cars and for others to utilize information on
drivers' habits for commercial purposes without the
drivers' knowledge or consent.
To ensure that these new technologies are not
endangering or encroaching on the privacy of
Americans on the road, Senator Edward J. Markey
(D-Mass.) sent letters to the major automobile
manufacturers to learn how prevalent these technologies
are, what is being done to secure them against
hacking attacks, and how personal driving information
is managed.
This report discusses the responses to this letter
from 16 major automobile manufacturers
Link to Markey Report
Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.
Regin has a wide range of standard capabilities, particularly around monitoring targets and stealing data. It also has the ability to load custom features tailored to individual targets. Some of Regin's custom payloads point to a
high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of
the developers.
Regin is capable of installing a large number of additional payloads, some highly customized for the targeted
computer
Link to pdf
Link to Symantec Blog
Recommended Practice:
Developing an Industrial Control Systems
Cybersecurity Incident Response Capability
Industrial control systems, like traditional business information systems are
coming increasingly under attack by a variety of malicious sources. These range
from hackers looking for attention and notoriety to sophisticated nation states
intent on damaging equipment and facilities. Included in this mix are disgruntled
employees, competitors, and even friendly sources that inadvertently bring
malware onto a site.
This document will present recommendations to help those facilities that use
control systems better prepare for and respond to a cyber incident regardless of
source. The document also suggests ways to learn from incidents and to
strengthen the system against potential attacks. The document includes accepted
methods and approaches from tradition information technology, but is primarily
focused on the unique aspects of industrial control systems.
Link to DHS Document