Principal Security Engineer, Patrick Kelley, was given the opportunity to Guest Lecture for the Master of Science in Information Systems - Cybersecurity Concentration, last evening. The discussion was centered around implementation of security controls in cloud environments and the anatomy of a Penetration Test.
NIST 800-171 – 12/31/2017 – Less than 90 days until the deadline!
Contracted information systems not part of an IT service or system operated on behalf of the Government must adhere to the following requirements:
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
. . . the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Non Federal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. . .
In order to protect valuable corporate assets and prove due diligence, security assessments and validation of controls are required on a regular basis. To adhere to regulatory compliance, these tasks are generally scheduled in advance and involve the repeated use of a single person or group of professional penetration testers. In this established routine lies a potential problem.
Penetration Testing is an art based on well-trained and highly creative individuals. Their most important task is to replicate attack strategies that many adversarial groups would launch against the corporate assets, defined as Physical Infrastructure or Intellectual Property. Threat Actors use widely different methods of attack plans, with an even more diverse range of tools, making it impossible to develop a “one size fits all” defense plan.
The growth of social media, coupled with the increasing adoption of BYOD (Bring Your Own Device) present new challenges for network security. This paper provides proof of concept on how a carefully crafted Reverse Social Engineering (RSE) attack, using social media platforms such as Facebook or LinkedIn, can compromise mobile devices used by professionals. As a result of BYOD, these compromised devices are readily given network access. Access is likely just as high as the user’s normal access using a company provided workstation that stays in the environment at all times. This allows an attacker to establish a foothold within the network to launch further attacks. We will also examine the best practices to defend against this growing threat. Read More
