Data Breaches Archives - Corsec Security, Inc.®

Just When You Thought It Was Safe To Shut Down Your Computer

Jake Nelson — Tue, 25 Sep 2018 17:27:58 +0000

Although Cold Boot Attacks are considered to be somewhat of an antiquated method, largely due to the need for an attacker to have physical access to the machine, they still represent a threat to unprotected systems.

By definition, a Cold Boot Attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. Known since 2008, these attacks target data memory remanences, sometimes containing sensitive and personal information, on a CPU’s RAM which can linger anywhere from a few seconds to a few minutes after power has been removed. By utilizing a removable disk, attackers are able to upload sensitive data and viola, you have a security breach.

Many modern systems have security countermeasures to prevent these types of attacks; by memory scrambling or encrypting RAM the ability to steal encryption keys is essentially eliminated, but a new threat could threaten most modern computers according to experts.

Researchers from F-Secure, a Finnish company, have found new methods to disable current cold boot attack firmware security measures. This attack still requires the physical access that previous cold boot attacks utilized, but the threat is still present. The company is positioned to release additional information on their findings at upcoming events and conferences.

In the meantime, companies looking to protect their data can look to modernize security functionality of their systems by following guidelines and requirements laid out within FIPS 140-2. The FIPS requirements for level 3 require, in addition to all security measures from level 1 and 2, identity-based authentication, physical security mechanisms for tamper detection and tamper response, and zeroization of keys to destroy this type of data. Implementing these changes helps to prevent cold boot attacks from ever occurring.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

IoT Expansion Opens The Door to Vulnerabilities

Jake Nelson — Wed, 11 Apr 2018 20:30:25 +0000

The IoT expansion has been innovative, immersive, and impressive; revolutionizing modern day interactions and connectivity.

To meet this demand, companies are deploying products at rapid speed, while lowering prices to promote user adoption; leaving many in the security sector concerned about user data protection and proper product security hardening.

To address these concerns, The UK is taking a proactive approach, outlining a 13-point Code of Practice for manufactures, service providers, mobile application developers, and retailers to follow related to the IoT space – “Secure by Design: Improving the Cyber Security of Consumer Internet of Things Report”.

This concept may be new to the growing IoT space, but it is already the status quo for many products in Regulated Industries, as well as heavily mandated by Federal Governments around the globe. Their requirements for certifications like FIPS 140-2, Common Criteria, and the DoD’s APL address these concerns; ensuring products protect sensitive data and implement proper security architecture frameworks prior to deployment and network integration.

For companies looking to analyze their current security strategy and implement sound product security certification practices, there is help. Corsec Security is the global leader in providing assistance in security certifications and product security hardening. With the largest staff of experts in the industry and a comprehensive end-to-end solution that includes assessment audits, documentation, testing, enterprise lab services, and strategic product roadmap planning, Corsec has helped secure more than 400 unique products for hundreds of organizations on five continents over the last 20 years.

This guidance helps companies address security requirements for healthcare, financial services, critical infrastructure, national and international markets, and now IoT. Not only do they secure products, but also foster public trust and reap rewards for security investments, enabling you to overcome competitors in a market valued at over $3.5 trillion.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Federal Modernization Efforts Continue

Jake Nelson — Wed, 06 Sep 2017 16:23:13 +0000

As part of the May 11th Executive Order on strengthening the U.S. Federal cybersecurity framework and technology infrastructure; the Director of the American Technology Council (ATC) has submitted its draft report to the President on the current and future state of Federal IT, with specific recommendations to “jumpstart a new wave of modernization efforts.”

This report is a coordinated effort by the Secretary of the Department of Homeland Security (DHS), the Director of the Office of Management and Budget (OMB), and the Administrator of the General Services Administration (GSA), in consultation with the Secretary of Commerce (Commerce) to outline a “modern Federal IT architecture where agencies are able to maximize secure use of cloud computing, modernize Government-hosted applications, and securely maintain legacy systems.” To accomplish this goal, the report addresses two distinct categories; 1.) Network Modernization and Consolidation, and 2.) Shared Services to Enable Future Network Architectures, both with specific actions to be implemented in the next 12 months. Each category and its required actions are as follows:

Network Modernization and Consolidation

Prioritize the Modernization of High-Risk High Value Assets (HVAs). Prioritize modernization of legacy IT by focusing on enhancement of security and privacy controls for those assets that are essential for Federal agencies to serve the American people and whose security posture is most vulnerable.
Modernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) Program to Enable Cloud Migration. Use real world implementation test cases to identify solutions to current barriers regarding agency cloud adoption. Update relevant network security policies and architectures to enable agencies to focus on both network and data-level security and privacy, while ensuring incident detection and prevention capabilities are modernized to address the latest threats.
Consolidate Network Acquisitions and Management.

Shared Services to Enable Future Network Architectures

Enable use of Commercial Cloud. Improve contract vehicles to enable agencies to acquire commercial cloud products that meet Government standards.
Accelerate Adoption of Cloud Email and Collaboration Tools. Provide support for migration to cloud email and collaboration suites that leverage the Government’s buying power. Define the next set of agencies to migrate to commercial email and collaboration suites.
Improve Existing and Provide Additional Security Shared Services. Provide centralized capabilities that replace or augment existing agency-specific technology to improve both visibility and security.

Each section outlines a timeline for action, including, 30, 60, 75, 80, 100, 365 day plans. ‘Taken together, these recommendations will modernize the security and functionality of Federal IT, allow the Federal Government to improve service delivery, and focus effort and resources on what is most important to customers of Government services.”

Driving this level of change will require participation and commitment at every level of government, including agency leadership, mission owners, IT practitioners, and oversight bodies. The reports states that in order to achieve this modernized IT architecture, the Federal Government will need to maximize use of shared services and commercial capabilities while accelerating the adoption of cloud email and collaboration tools, improve the existing shared services, and provide additional support to security shared services for agencies. “The future of Federal IT is one in which agencies move further toward a risk-based approach to securing their systems that places appropriate emphasis on data-level protections and that fully leverages modern virtualized technologies.”

Requests for comment are now open. For more details, view the entire report.

Subscribe to Corsec emails!

IoT Device Security – What You Need To Know

Jake Nelson — Thu, 20 Apr 2017 21:40:17 +0000

The expanding market for connected devices and the Internet of Things (IoT) has propelled demand for products that alleviate the stress of managing daily interactions; from buying groceries to protecting our homes, there is an app or device for that. To meet this demand, manufacturers are developing products at rapid speed, while trying to keep prices low to promote user adoption. This has left many in the security sector asking the question, have we taken the necessary steps to ensure these products are properly securing user data?

Internet of “Bad” Things?

The IoT industry expansion has been innovative, immersive, and impressive. The direct-to-consumer IoT device market has also faced incredible growth, however with increased access and cheaper solutions, device security is not always prioritized.

IoT products aren’t limited to just one consumer audience- in fact, you can find products directed towards any demographic. Not only are the devices sold as a singular solution, but they can also be incorporated into existing technology. Often, they are fairly inexpensive and this is what makes unsecured IoT devices a goldmine to hackers; as they are now able to infiltrate and disrupt any consumer industry. From children’s toys, home assistants, connected cars, etc; IoT devices have begun to incorporate themselves within our everyday lives.

Protecting consumer data isn’t difficult, but it is a step that many overlook in a quest for convenience or excitement in adopting the new technology.

IoT specific security standards haven’t been ratified, which means that it is up to the consumer in most cases to ensure that they are taking every precaution in securing their devices.

Here is your basic IoT Device Securing Checklist:

Identify which of your devices have communication abilities, and ensure that the hardware/software/firmware is up to date on both the IoT device and whatever device you are establishing a connection with.
Upon your first use of the IoT device, update your user credentials. Do not just keep the credentials on the factory/default setting.
Disable any Universal Plug and Play (UPnP) option, and disable any automatic connections to the device.
Check to see if there is a competing product that has gone through the security certification process. A FIPS 140-2 certification shows that the product has undergone extensive testing and that the crypto functionality of the solution is up to NIST/government standard.

If you are unsure of whether or not your IoT solution could benefit from obtaining a security certification like: FIPS 140-2, Common Criteria, or DoDIN APL; contact Corsec to discuss your options.

Subscribe to Corsec emails!

Your Security Strategy – Are You At Risk?

Jake Nelson — Tue, 06 Dec 2016 17:09:04 +0000

$7 Million Dollars – According to a recent study by IBM, that’s the average cost of a security breach. The overall brand damage can be catastrophic, huge financial losses and customer abandonment. Companies like Target and JPMorgan are still dealing with the aftermath from breaches. The ramifications can last years, or even worse, put you under.

Avoiding these scenarios with proper product certifications is fundamental. For software, hardware, and firmware solutions, a FIPS 140-2 validation, Common Criteria evaluation, or listing on the DoDIN APL helps harden product security, BUT cutting corners on your certifications could still cost you.

When you work with a partner or lab, you’re extending your workforce, augmenting your engineering, and entrusting your development to others during each phase of your certification effort. This partner will play a large role in the security of your brand – asking the right questions upfront ensures protection of your product and your company:

Are you in a secured facility and how do you enforce controlled access?
Is your staff properly trained, including cleared background checks?
What is your supply chain policy for IP protection and qualify assurance?

These are just three of the larger issues that could put your brand at risk. Remember, you get what you pay for.

Corsec offers all of our partners the highest level of IP protection. Our Turnkey Solution to certifications and state of the art Infrastructure Support ensures your certification is done once, and done right.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe