4-25-14 Podcast Resources

A free new Heartbleed vulnerability scanner tool

http://www.csoonline.com/article/2146986/network-security/crowdstrike-offers-new-free-heartbleed-scanner-tool.html

C-IT Recommendation

  1. Consult with your Vulnerability and Threat Management Team/Individual (VTM)
  2. Ensure the VTM Team/Individual has discovered all vulnerable devices to the Heartbleed vulnerability
  3. Verify the keys and certificates have been replaced on your vulnerable SSL Servers
  4. Request the team to validate the vulnerability has been cleaned up by running the crowdstrike scanner or a similar scanner which can give you the results of your remediation efforts. A rescan will also allow you to see any servers that may have been missed in the initial scan or scans due to downtime or servers that were not discovered because they were no longer on the network.

Article Resources

Crowdstrike Blog detailing tool

http://www.crowdstrike.com/blog/new-community-tool-crowdstrike-heartbleed-scanner/index.html

Download Free Crowdstrike Scanner

http://www.crowdstrike.com/community-tools/index.html


 

AIG’s new addition to Cyber Security Coverage

http://www.securityweek.com/aig-expands-coverage-include-physical-damage-caused-cyber-attacks

http://www.csoonline.com/article/2146983/media-and-entertainment-industry-targeted-in-cyberattacks.html

C-IT Recommendation

  1. Consult your Risk Management team to see if your company has any cybersecurity insurance.
  2. If you have coverage, ensure the organization has performed an information security risk assessment to see if the current coverage is adequate for your company’s risk appetite. If you do not have coverage, consider performing an information security risk assessment to transfer potential financial loss in case there is a need to pay for forensic investigations, credit monitoring, reputation management, business interruption, and compliance with state breach notification laws in the case of a data breach.
  3. Evaluate whether a failure of any of your information systems have the potential to cause bodily injury to customers or employees.
  4. Bring in an Insurance company who is able to provide physical security coverage to perform a coverage feasibility assessment which will tell you if your company is eligible, as well as the terms and costs of your coverage

Article Resources

AIG Cyber Edge PC Insurance

http://www.aig.com/cyberedge-pc_3171_595334.html


 

Apple’s series of security updates

http://www.securityweek.com/apple-issues-slew-security-updates-os-x-ios

http://www.infosecurity-magazine.com/view/38098/apple-fixes-critical-triplehandshake-flaw/

C-IT Recommendation

  1. Perform an asset inventory of all company owned Apple assets using IOS and OSX operating systems including desktops, laptops, iPhone 4 and later, iPod touch (5th generation) and later and iPad 2 and later. Your company should have a configuration management database to show which devices have which operating systems versions. For non-company owned assets in a Bring your own device model, notify your employees accessing data with their personal apple assets to apply the security update 2014-002 to their devices.Back up a set of test devices for each of the IOS and OSX systems Apply Security updates 2014-002 to the test devices.
  2. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  3. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Apple support and/or vendor support if specific applications are negatively impacted
  4. Finally, as always it is good practice to run a vulnerability scan against the devices
  5. If you have a mobile device management solution for BYOD employees, enforce policies to deny  devices without the update access to the network if possible.

**If you do not have a mobile device management solution in a BYOD model, Strongly recommend users to install the security updates. Failure to do so may result in your employees devices compromising your company information and/or costing the employees or your organization a ton of money**

Article Resources

Apple support knowledge base

http://support.apple.com/kb/HT6207

CIO Magazine on BYOD

http://www.cioupdate.com/technology-trends/byod-byoc-may-change-everything-about-security.html

Inc Magazine on BYOD

http://www.inc.com/bzur-haun/legal-backlash-of-bring-your-own-device-policies.html