May 31st, 2018, Mandarin Oriental Hotel
Geneva Information Security Day (GISD) is a leading European cybersecurity conference created as a vendor-independent platform for open and actionable discussion of emerging digital threats and remedies, knowledge sharing and building sustainable cybersecurity industry. C-level cybersecurity executives, cybersecurity visionaries and leaders from all over the world share their knowledge and experience in a comfortable atmosphere of trust and confidence.
Participation at GISD is open and free for cybersecurity, privacy and GRC practitioners. No sales personnel are allowed. Participants will be provided with an attendance certificate attesting to their participation at the Conference for Continuous Professional Education (CPE).
Visit event’s webpage for the Agenda and speakers: https://www.htbridge.com/GISD/
The U.S. government has gotten behind the Domain-based Message Authentication, Reporting & Conformance (DMARC) email authentication standard in full force while the private sector, for once, is playing catch up. Phil Reitinger, president and CEO of the Global Cyber Alliance, spoke with SC Media Executive Editor Teri Robinson about DMARC’s benefits and its trajectory in both the private and public sectors.
You can watch the full video interview here:
For more information about DMARC and how to implement it to better protect your domain, please visit dmarc.globalcyberallaince.org.
Bob Gourley, former Defense Intelligence Agency CTO and Founder and CTO of Crucial Point, LLC, discusses the failure of government IT contractors to incorporate some standard email security measures with Government Matter TV.
By Maryam Rahmani
Everywhere we look, devices and people are getting connected to the Internet. Gartner anticipates more than 20 billion connected devices by the year 2020. For the first time, in 2017, the number of IoT devices outnumbered the world’s population. These devices are being used by consumers, businesses and critical infrastructure to increase productivity, improve quality of life, and reduce costs. As it goes with technology, if security and privacy are not built in from the onset into the design cycle of the product, it could cause havoc in the wrong hands. A combination of automation, connectivity and expanded threat landscape increases associated risks to people, industries, and governments alike.
At the RSA Conference in San Francisco last week, there were a number of talks on the importance of securing these hard to secure devices that are scattered everywhere.
In smart manufacturing, threats are high and impacts are great. A coordinated cyberattack can cause plant disruptions resulting in millions of dollars in damages as it was seen in 2017 when several European automobile manufacturing plants were halted as the result of WannaCry ransomware attack.
Recently, a nation-state waged global cyberattacks on critical national infrastructure exploiting vulnerabilities in smart devices with weak passwords and unpatched software. The potential for future exploit remains.
Cyberattacks are also seen against hospitals throughout the world putting patients’ care and well-being at risk. Everywhere a smart thing exists is also a story about a hack, an exploit and unfortunate consequences. Status quo is not an option.
Organizations, manufacturers, and governments all must come together to make sure standards are developed and controls are put in place to mitigate the IoT-related cyber risk.
There are a number of great efforts under way.
The National Institute of Standards and Technology (NIST) is working on the development and application of standards, guidelines, and tools. If you are interested in learning more about IoT cybersecurity-related initiatives at NIST, please visit: https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program.
In the UK in March, the Department for Digital, Culture, Media and Sport (DCMS) issued a report providing thirteen guidelines. Number one among them is not allowing for “default passwords” on IoT devices. The suggested guidelines are great, but it remains to be seen whether manufacturers will embrace them without regulation.
We at the Global Cyber Alliance are collaborating with our partners globally to come up with measurable actions to tackle the IoT-related risks. We are conducting a series of roundtables around the world with the objective to discuss lessons learned from various engagements, discuss concerns related to privacy and security, and provide tools and best practices for smart city deployment. We are good at tackling challenging cyber-related risks, with solutions that are highly effective, like DMARC and Quad9. We welcome collaboration and invite those who are interested in helping us with ensuring security and privacy is built in all smart city projects to reach out to us. By working together, we can make our connected world of everything a safer and more secure place.
As Federal Agencies Work to Add DMARC Protections, Largest Government Contractors Have Work to Do
Washington, DC – Only one of the largest federal contractors have fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). In an examination of the top 50 information technology (IT) contractors to the United States government, GCA found that only one contractor is using email-validation security – the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol – at its highest level.
DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.
Late last year, the Department of Homeland Security mandated that all federal agencies implement DMARC. Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC, for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors’ failure to follow suit could make them more enticing to threat actors looking for new ways to access government information.
“Threat actors don’t quit when they see an obstacle; they simply look for another way in,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “DMARC adds a layer of protection for email, and we applaud DHS’s move to ensure implementation of DMARC for federal agencies. Government contractors should also shore up their defenses and adopt DMARC to protect their government and other clients with whom they exchange email. We know that the vast majority of attacks start with a phishing email. DMARC should be an operational standard to reduce risk.”
Using GCA’s DMARC tools, the researchers determined how far organizations were in implementing DMARC. More than half of the contractors reviewed had not yet implemented DMARC at all.
|DMARC Count||Effect at this level of implementation|
|Domains Tested||50||(The email domains of the 50 largest government contractors in 2017 according to Washington Technology)|
|Reject||1||The highest level of DMARC protection. If reject is in place, incoming messages that fail authentication get blocked.|
|Quarantine||1||The second highest level of DMARC protection. With quarantine in place, emails that don’t meet the policy are sent to the spam or junk folder.|
|None||21||“None” means that a DMARC policy is in place but only monitoring is taking place. No action is being taken to block spoofed emails.|
|No Policy||27||“No policy” means that DMARC is not being used.*|
|Error*||1||One contractor appeared to have DMARC misconfigured.|
The list of contractors identifies the largest government contractors in the IT and systems integration space according to their prime contracting dollars for fiscal year 2016.
“Threat actors are using email to go after organizations of all kinds and sizes,” Reitinger said. “Leaders in the U.S. and U.K. are implementing DMARC because they understand the threat and the impact a well-designed phishing scam could have on a critical agency. The leading U.S. IT contractors should take similar steps to secure the government and citizens.”
GCA has published four reviews of DMARC implementation – two looking at organizations in cybersecurity, one looking at banks, and another examining public and private hospitals. The contractors’ results were the worst in any sector examined thus far. When Agari looked at Fortune 500 companies last August, they found 8 percent protected their companies’ domains with DMARC.
For more details about DMARC or to check if an organization is using DMARC, visit: dmarcguide.globalcyberalliance.org.
About the Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect. GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.
By Phil Reitinger
Thursday last week I was somewhere over Utah, headed back to the East Coast after three-and-a-half days in California at the RSA Conference. I was thinking about last year, when I wrote a blog called RSA: It’s the People about why I come to RSA every year.
The sessions can be very interesting, the keynotes provocative, and the exhibit floor educational. But that is isn’t why I come every year. I come because it is the best chance and place to connect with the infosec and privacy community. I’ve by far lost count of the number of people I’ve talked to this trip, and I bet the same is true for you. And while the planned meetings can be great, or not, often the chance encounters offer the greatest ROI.
All that is still true.
Last Monday I wrote that every year I’ve been able to make one cybersecurity prediction: next year, things will be worse. It occurs to me that there is another prediction I could make almost every year: next year, I will come to RSA.
Not so long ago I walked into a restaurant and saw a couple of old friends having lunch, right beside my table. I very much enjoy those encounters. RSA is like that, but instead every month or so, they happen multiple times in an hour. The conference is wonderful stew of planned and unplanned events.
I am also heartened by something else. Every year there are new RSA buzzwords, like “Blockchain” and “AI.” One of the buzzwords this year was “Community.” From functional organization like GCA and CTA, to new collaborative efforts like the Tech Accord, communities are working to solve real problems.
See you next year.
Bob Gourley writes from RSA:
“Every year the RSA conference brings together members of the cybersecurity community for a week of presentations, discussions, tech demos and socials. Concurrent with the event there is always a flurry of press releases. Many are designed to highlight a company’s product or service. Many, like the announcement of the new Microsoft led coalition of tech firms, might be well intentioned but highlight something that will have zero impact. But there are always a few releases that are worth focusing on.
Which leads us to the Global Cyber Alliance. The Global Cyber Alliance is an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity. It is led by an icon of the cybersecurity community, Phil Reitinger, and Phil is a guy known for focusing on action that can be measured (the motto of the alliance is “Do something. Measure it.” (Read full article here).
Click here for more information about the two new open-source tools released at RSA Conference in San Francisco.
By Phil Reitinger
In August 1969, somewhere near 500,000 people gathered on a farm in New York for a music festival – an event that became “the definitive nexus for the larger counterculture generation.” On Tuesday, April 17, 2018, about 50,000 RSA Conference attendees gathered to hear Microsoft’s Brad Smith present a new “Tech Accord” – a pact signed by 34 companies to oppose the militarization of the Internet. Tired of seeing their products, and the vulnerabilities in them, drafted into the service of larger political goals, the companies promised to work together to protect all their customers against cyber attacks, regardless of source or motivation for the attacks. Make business, not war.
While it would be an exaggeration to say that this accord is an attack on the core of sovereignty – there is nothing in the Tech Accord’s commitments that suggests the signatories would not comply with a legal demand – the companies are asserting that their highest duty is to their customers and not to the companies’ countries of origin. The signatories are asserting, in my view, that they are Internet companies, and not, for example, U.S. or Finnish companies.
This approach strikes me as inevitable. The Internet is global and the companies’ customers are global, and any attempt to draw distinctions among “innocent” customers puts the companies in an untenable position of saying some customers are more important than others. Just as interesting is the promise of signatories to work together on cybersecurity efforts – that the need for collective self-defense outweighs the individual economic interests of the companies involved. To me, this sounds like an initial movement toward non-violent resistance to militant action in cyberspace.
The text of the Tech Accord commitments raises several points and questions.
- The first “Stronger defense” commitment is explicit that the companies will protect government customers from attacks by other governments. The signatories cannot stand aside when faced with geopolitical conflicts.
- The second “No offense” commitment says that “WE WILL OPPOSE CYBERATTACKS ON INNOCENT CITIZENS AND ENTERPRISES FROM ANYWHERE.” Where will the line be drawn on “innocent”? Are suspected terrorists innocent, and are criminal suspects innocent until proven guilty?
- That same commitment also says that the companies “…will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use.” Is this a positive commitment that every signatory will have a Secure Development Lifecycle program? Must the risk of malicious developers be addressed?
- The “Capacity building” commitment says the companies “WILL HELP EMPOWER USERS, CUSTOMERS AND DEVELOPERS TO STRENGTHEN CYBERSECURITY PROTECTION.” Because the commitment is to empower, are the companies committing to making security products and functions interoperable? That would be a quite significant promise, called for by the U.S. Department of Homeland Security in 2011.
- The last commitment promises “Collective action.” “WE WILL PARTNER WITH EACH OTHER AND WITH LIKEMINDED GROUPS TO ENHANCE CYBERSECURITY.” This is motherhood and apple pie, and you’d be hard pressed to find someone who would argue against companies working jointly to fight cybercrime and cyber attacks. But what “partner” means in this context will be demonstrated by action.
I support this effort. While there remain ambiguities, the direction is right. I look forward to seeing how this develops and if it drives action.