Shoaib Yousuf

Ongoing Investments Have To Be Made To Protect Corporate And Online Perimeters

2012-06-02T20:00:00.000+10:00

Why Hacktivists Attack?

Hacktivists usually attack because they want to embarrass their targets.

This week, Anonymous took credit for hacking a server at the United States Bureau of Justice Statistics, copying 1.76 GB of data and posting it online.

Why? "... to spread information, to allow the people to be heard and to know the corruption in their government. We are releasing it to end the corruption that exists, and truly make those who are being oppressed free," hackers claiming to be part of Anonymous posted on AnonNews.org.

Another example: this week's takedown of WHMCS, a UK-based online billing platform used by Web hosting providers throughout the world. The hacktivist group known as UGNazi took credit for a breach of WHMCS's database - a breach that likely exposed details on 500,000 payment cards.

The group also launched a denial of service attack on one of WHMCS's servers, which ultimately took the platform's site down for 24 hours and disrupted service to its global client base. Why? UGNazi says it targeted WHMCS because the company refused to address security vulnerabilities.

In a May 23 post on Pastebin, UGNazi hacker Cosmo says WHMCS's database was leaked because the company ignored UGNazi's warnings about security concerns linked to its Web hosting provider, HostGator.

Cosmo writes: "It is now 2 days after the attack from us and the site is back up and it still remains on HostGator after Matt knows it is insecure. ... We laugh at your security."

UGNazi hackers reportedly socially engineered customer service reps at HostGator into coughing up admin credentials to WHMCS's servers.

How could WHMCS have avoided this attack? Perhaps by publicly responding to the threats and admitting it needed to enhance security.

Official Australian e-health info page defaced

2012-05-31T19:54:00.000+10:00

Australian website hacked!

An apparent trio of ‘hackers’ operating under the LatinHackTeam banner has claimed the Australian Government’s Department of Health and Ageing eHealth education site as its 13,789th ‘defacement‘ victim.

The group’s latest record on Zone-H, a site that archives website vandalisations, is the department’s eHealth education site, publicleanring.ehealth.gov.au.

The site is a learning portal aimed at preparing consumers and healthcare professionals for the July 2012 launch of eHealth records in Australia. “infEkt”, “Adminp4nic” and “eCore” apparently do their homework, claiming to have targeted the site because they were “Against government corruption !!” “We are LatinHackTeam. We are three. We dont (sic) make DDOS. We do research. Respect us! Land of liberty, home of the brave..”

Most of the trio’s recent targets appear to be the websites of government organisations, but they occasionally stray to target organisations like the Spanish Red Cross in Granada, regional websites of Amnesty International, and the Creative Commons (Peru). The most recent Australian target before the eHealth site was the Australian website of global automotive stereo company, Alpine. In that defacement, which occurred on May 6, the group said it was “Against Monopoly Companies”.

The snapshot of the Department of Health and Ageing’s eHealth education site defacement appears to have been taken on May 17.

Source CSO Australia

Video: How Viruses Attack a PLC/HMI without Deep Packet Inspection via an USB memory stick?

2012-05-30T17:25:00.000+10:00

Virus Attack & Prevention With/Without Deep Packet Inspection

In the first video, Eric Byres, cto and vp Engineering of Tofino Security, a Belden Co., shows how a worm can attack a PLC/HMI in a simulated Oil and Gas environment. This video sees Deep Packet Inspection in action to prevent a USB thumb drive attack.

The second video sees Deep Packet Inspection in action to prevent a USB thumb drive attack

Checklist security of ICS/SCADA systems

2012-05-28T17:09:00.000+10:00

Brief Good Practice Guidelines for ICS/SCADA Systems Security

ICS/SCADA is used in many different areas, varying from very critical systems and processes to simple applications. It is up to their owners to decide which level of security and depth of measures are necessary. This checklist makes a distinction between organisational and technical/operational measures.

A brief explanation is provided for each measure, including references to additional background information and/or tips for implementation. The checklist focuses on measures against the most frequent vulnerabilities and security problems. It is important to note that complying with all items on this checklist does not mean that your organisation is fully protected and 100% safe.

Background

Hackers and security researchers are increasingly and visibly turning their attention to the security of process control systems (ICS/SCADA). Systems that can be accessed directly from the Internet are especially at risk, although this Internet connection is not the only potential security problem for process control environments.

The National Cyber Security Centre (NCSC) has therefore developed this ICS/SCADA system security checklist. This checklist may help your organisation to determine whether the ICS/SCADA environment is sufficiently protected based on measures considered ‘good practice’.

Another publication is the NCSC Fact sheet 2012-01 entitled ‘Security risks of online SCADA systems’, including a checklist focused on reducing the risk of (undesirable) Internet connections of SCADA systems.

Context of this checklist

ICS/SCADA is used in many different areas, varying from very critical systems and processes to simple applications. It is up to their owners to decide which level of security and depth of measures are necessary.

Download

Checklist security of ICS-SCADA systems

Utilities Sector Have The Poorest Governance Practices

2012-05-26T20:32:00.000+10:00

Corporate Boards Still In the Dark About Cybersecurity

As the U.S. natural gas pipeline sector and the Department of Homeland Security square off against malicious cyber intrusions aimed at companies, along comes yet another study that highlights serious governance shortcomings of critical infrastructure companies when it comes to cybersecurity.

“The Governance of Enterprise Security: CyLab 2012 Report” [PDF], released last week by Carnegie Mellon University, offers the first side-by-side comparison of industries on governance practices and cybersecurity oversight.

Compared against the financial, IT/telecom, and industrials sectors, energy/utilities companies fared the worst. “Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices,” writes study author Jody Westby in Forbes (a co-sponsor of the survey, along with RSA).

“When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two.” The energy/utilities sector responses, as reported by Forbes, broke down as follows:

71 percent of their boards rarely or never review privacy and security budgets.
79 percent of their boards rarely or never review roles and responsibilities.
64 percent of their boards rarely or never review top-level policies.
57 percent of their boards rarely or never review security program assessments.

The energy/utilities respondents also “placed the least value on IT experience when recruiting board members,” writes Westby, the CEO of the consultancy Global Cyber Risk. Westby finds the energy/utilities results particularly troubling: “What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity,” she says.

The sector is also heavily dependent on industrial control systems (known by the acronym SCADA), “most of which were not designed for security and have no logging functions to enable forensic investigations of attacks,” she adds. The survey noted that overall, “the financial sector has better privacy and security practices than other industry sectors.”

The financial sector got the highest marks on undertaking best practices, and respondents from those companies also indicated “they are much farther ahead in establishing risk committees” on the board:

78 percent said they had a risk committee separate from the audit committee, compared to 44 percent among industrials, 35 percent among energy/utilities, and 31 percent among IT/telecom. The energy/utilities and the IT/telecom sectors were the least likely to review cyber insurance coverage—79 percent and 77 percent, respectively, said they did not do so. Meanwhile, 52 percent of financial sector boards and 44 percent of industrial sector boards said they didn’t perform a review.

But as the first round of CyLab survey findings published earlier this year revealed, governance around cyber risk is generally lacking. Despite holding extensive troves of digital assets—and bearing an explicit fiduciary duty to protect those assets—boards and senior management “are not exercising appropriate governance over the privacy and security of their digital assets,” according to the results.

These findings on board oversight dovetail with those of a 2011 study by the Center for Strategic and International Studies and McAfee, focused on power, oil, gas, and water companies around the world. That report, too, uncovered a similar dearth of preparedness.

“What we found is that they are not ready,” wrote the authors of last year’s “In the Dark: Crucial Industries Confront Cyberattacks” [PDF]. “The professionals charged with protecting these systems report that the threat has accelerated—but the response has not.”

Those threats, as reported by company executives, increased substantially from the previous year. In the 2010 survey, “nearly half of the respondents said that they had never faced large-scale denial of service attacks or network infiltrations,” according to the authors.

By 2011:

80 percent of respondents said they had faced a large-scale denial of service attack.
80 percent of respondents said they had faced a large-scale denial of service attack.
85 percent said they had experienced network infiltrations.
A quarter of respondents reported daily or weekly denial-of-service attacks on a large scale.
Nearly two-thirds said that, on at least a monthly basis, they found malware designed for sabotage on their system.

Yet the bottom line for corporate cybersecurity was still disappointing: “Most companies failed to adopt many of the available security measures. This means that, for many, security remained rudimentary.”

Refer here to read more details.

Beware fake Chrome installers for Windows.

2012-05-24T18:32:00.000+10:00

Fake Google Chrome Installer Steals Banking Details

A file named "ChromeSetup.exe" is being offered for download on various websites, and the link to the file appears to be legitimately hosted on Facebook and Google domains. In reality, the software won't install Google's Chrome browser, but an information-stealing Trojan application known as Banker, according to antivirus vendor Trend Micro.

Once the malware--which appears to be targeting Latin American users, especially in Brazil and Peru--is executed, it relays the IP address and operating system version to one of two command-and-control (C&C) servers, then downloads a configuration file. After that, whenever a user of the infected PC visits one of a number of banking websites, the malware intercepts the HTTP request, redirects the user to a fake banking page, and also pops up a dialog box informing the user that new security software will be installed.

In fact, the malware has been designed uninstall GbPlugin, which is "software that protects Brazilian bank customers when performing online banking transactions," said Trend Micro security researcher Brian Cayanan in a blog post. "It does this through the aid of gb_catchme.exe--a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas."

Refer here to read further details.

How to protect your Facebook account from hackers?

2012-05-21T20:12:00.001+10:00

Nine Major Ways Criminals Use Facebook

Hacking Accounts

When criminals hack a Facebook account, they typically use one of several available “brute force” tools, Grayson Milbourne, Webroot’s Manager of Threat Research for North America, told 24/7 Wall St. in an interview. These tools cycle through a common password dictionary, and try commonly used names and dates, opposite hundreds of thousands of different email IDs.

Once hacked, an account can be commandeered and used as a platform to deliver spam, or — more commonly — sold. Clandestine hacker forums are crawling with ads offering Facebook account IDs and passwords in exchange for money. In the cyber world, information is a valuable thing.
Commandeering Accounts
A more direct form of identity theft, commandeering occurs when the criminal logs on to an existing user account using an illegally obtained ID and password. Once they are online, they have the victim’s entire friend list at their disposal and a trusted cyber-identity.

The impostor can use this identity for a variety of confidence schemes, including the popular, London scam in which the fraudster claims to be stranded overseas and in need of money to make it home. The London scam has a far-higher success rate on Facebook — and specifically on commandeered accounts — because there is a baseline of trust between the users and those on their friends list.
Profile Cloning
Profile cloning is the act of using unprotected images and information to create a Facebook account with the same name and details of an existing user. The cloner will then send friend requests to all of the victim’s contacts. These contacts will likely accept the cloner as a friend since the request appears to be from someone they’re familiar with. Once accepted, the crook has access to the target’s personal information, which they can use to clone other profiles or to commit fraud.

As Grayson Milbourne puts it, “Exploiting a person’s account and posturing as that person is just another clever mechanism to use to extract information.” Perhaps what’s scariest about this kind of crime is its simplicity. Hacking acumen is unnecessary to clone a profile; the criminal simply needs a registered account.
Cross-Platform Profile Cloning

Cross-platform profile cloning is when the cyber criminal obtains information and images from Facebook and uses them to create false profiles on another social-networking site, or vice versa. The principle is similar to profile cloning, but this kind of fraud can give Facebook users a false sense of security because their profile is often cloned to a social platform that they might not use. The result is that this kind of fraud may also take longer to notice and remedy.
Phishing
Phishing on Facebook involves a hacker posing as a respected individual or organization and asking for personal data, usually via a wall post or direct message. Once clicked, the link infects the users’ computers with malware or directs them to a website that offers a compelling reason to divulge sensitive information. A classic example would be a site that congratulates the victims for having won $1,000 and prompts them to fill out a form that asks for a credit card and Social Security number.

Such information can be used to perpetrate monetary and identity fraud. Grayson Milbourne of Webroot, also explained that spearphishing is becoming increasingly common, a practice that uses the same basic idea but targets users through their individual interests.
Fake Facebook
A common form of phishing is the fake Facebook scam. The scammers direct users via some sort of clickable enticement, to a spurious Facebook log-in page designed to look like the real thing. When the victims enter their usernames and passwords, they are collected in a database, which the scammer often will sell.

Once scammers have purchased a user’s information, they can take advantage of their assumed identity through apps like Facebook Marketplace and buy and sell a laundry list of goods and services. Posing as a reputable user lets the scammer capitalize on the trust that person has earned by selling fake goods and services or promoting brands they have been paid to advertise.
Affinity Fraud
In cases of affinity fraud, con artists assume the identity of individuals in order to earn the trust of those close to them. The criminal then exploits this trust by stealing money or information. Facebook facilitates this type of fraud because people on the site often end up having a number of “friends” they actually do not know personally and yet implicitly trust by dint of their Facebook connection.

Criminals can infiltrate a person’s group of friends and then offer someone deals or investments that are part of a scheme. People can also assume an identity by infiltrating a person’s account and asking friends for money or sensitive information like a Social Security or credit card number.
Mining Unprotected Info
Few sites provide an easier source of basic personal information than Facebook. While it is possible to keep all personal information on Facebook private, users frequently reveal their emails, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information is often used as passwords or as answers to secret security questions.

While the majority of unprotected information is mined for targeted advertising, it can be a means to more pernicious ends such as profile cloning and, ultimately, identity theft.
Spam
Not all spam — the mass sending of advertisements to users’ personal accounts — is against the law. However, the existence of Facebook and other social sites has allowed for a new kind of spam called clickjacking. The process of clickjacking, which is illegal, involves the hacking of a personal account using an advertisement for a viral video or article.

Once the user clicks on this, the program sends an advertisement to the person’s friends through their account without their knowledge. This has become such an issue for the social media giant that earlier this year that the company has teamed up with the U.S. Attorney General to try to combat the issue.

The evolving role of the CISO

2012-05-19T19:24:00.000+10:00

New study by IBM

A study by IBM’s Center for Applied Insights concludes that there are now three ‘types’ of CISO: influencers, protectors and responders. Evolution towards the ‘influencer’ role is necessary, and happening.

Security is now seen as a vital aspect of business, and the role and influence of the chief information security officer is correspondingly rising, concludes Finding a strategic voice, a new study from IBM.

The primary driver, suggests IBM, is that security is now recognised as a business rather than just a technology imperative. “In today’s hyper-connected world,” states the report, “information security is expanding beyond its technical silo into a strategic, enterprise-wide priority,” driven by the increasing number of high profile attacks.

The result is that while “many organizations remain in crisis response mode, some have moved beyond a reactive stance and are taking steps to reduce future risk.” Key to this is that business is beginning to understand what security experts have been saying for years: security is not a thing or a product that can be bought and installed – it is a continuous process at the heart of the business itself.

“The Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness.” Influencers have a strategic role on business security. “Responders,” says the report, “are more tactically oriented.

They are concentrating on foundational building blocks: incorporating new security technology to close security gaps, redesigning business processes and hiring new staff. While technology and business processes are still important to Influencers, they are in the mode of continuously innovating and improving rather than establishing basic capabilities.”

In reality, the clear implication here is that business either needs both an influencer and a responder, or that the influencer needs also to be a responder: strategy needs implementation tactics. But what of the protectors? This is the traditional view of security. Almost half of the report’s respondents take this role, a role that is likely to be the most prevalent in smaller companies.

“These security leaders,” says IBM, “recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.” “This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said David Jarvis, IBM’s author of the report.

“We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”

In short, this IBM study demonstrates that security and the role of the CISO is evolving from a reactive stance to a proactive stance, both within security itself and the wider business – but there is still a long way to go from protector to influencer.

To read further please refer here.

NIST Drafting New Guidance to Mitigate Supply Chain Risk

2012-05-17T19:20:00.000+10:00

10 Practices to Secure the Supply Chain

Guidance that identifies 10 overarching practices to mitigate supply chain risks is being developed by the National Institute of Standards and Technology. Supply chain risks can occur when organizations purchase and implement information and communications technology products and services.

"Supply chain risk is significant and growing," says Jon Boyens, a NIST senior advisor for information security who's co-authoring the new guidance, NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems.

This is the second draft of IR 7622. In the latest version, NIST computer scientists pared to 10 from the 21 prescriptive practices to blunt supply chain risks described in the initial draft. They are:

Uniquely identify supply chain elements, processes and actors;
Limit access and exposure within the supply chain;
Create and maintain the provenance of elements, processes, tools and data;
Share information within strict limits;
Perform supply chain risk management awareness and training;
Use defensive design for systems, elements and processes;
Perform continuous integrator review;
Strengthen delivery mechanisms;
Assure sustainment activities and processes; and
Manage disposal and final disposition activities throughout the system or element life cycle.

Supply chain risk management, as described in the guidance, is a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using information and communication technology products and services.

The publication calls for procurement organizations to establish a coordinated team approach to assess the supply chain risk and to manage this risk by using technical and programmatic mitigation techniques. Improving the supply chain is part of the federal government's Comprehensive National Cybersecurity Initiative, which states that managing risk requires a greater awareness of the threats, vulnerabilities and consequences associated with acquisition decisions.

"The growing sophistication of technology and increasing speed and scale of a complex, distributed global supply chain leave government agencies without a comprehensive way of managing or understanding the processes from design to disposal, and that increases the risk of exploitation through a variety of means including counterfeit materials, malicious software or untrustworthy products," according to a NIST statement that accompanied the latest draft.

NIST is basing IR 7622 on security practices and procedures it published along with those from the National Defense University and the National Defense Industrial Association. NIST is expanding the guidance to meet specific demands of the supply chain. Before issuing the final guidance later this year, the authors of IR 7622 seek comments on the document, including prioritizing the supply chain risk management components.

To help understand how the proposed process works, the authors want reviewers to consider how the practices could be applied to recent and upcoming procurement activities and provide comments on the practicality, feasibility, cost, challenges and successes. Comments should be sent to scrm-nist@nist.gov by May 25.

Top 15 Paying IT Certifications According to Global Knowledge Training

2012-05-15T20:12:00.000+10:00

Certifications are good for marketing and a necessary evil, but certainly not the be all/end all!

Global Knowledge Training LLC published a white paper outlining the top 15 paying IT certifications for 2012 based upon a survey they conduct annually. In the white paper, they don’t specify how they selected their sample for the survey; however they do maintain that the certifications and associated salaries were included only if there were at least 200 responses for that particular certification in the survey.

As such (and as the author points out), some certifications that do not have a large population in the work force (or that are more exclusive) may be inadvertently – and obviously – missing from this list (e.g., CCIE, VCDX, or OCSP).

Here are the results from the survey:

PMP - Project Management Professional $111,209
CISSP – Certified Information System Security Professional $110,342
CCDA – Cisco Certified Design Associate $101,915
ITIL v3 Foundation $97,691
MCSE – Microsoft Certified Systems Engineer $91,650
VCP – Vmware Certified Professional $91,648
CCNP – Cisco Certified Network Professional $90,457
CompTIA Server+ $84,997
MCITP – Microsoft Certified IT Professional $84,330
CCNA – Cisco Certified Network Associate $82,923
MCSA – Microsoft Certified Systems Administrator $82,923
CompTIA Security+ $80,066
MCP – Microsoft Certified Professional $79,363
CCENT – Cisco Certified Entry Network Technician $74,764
CompTIA Network+ $71,207

These results are based on US job market but you can use these figures as a benchmark or if you already have above certification, you can campre your salary with the US market.

MyCPEs.com is a free online tool built to help certified professionals manage and track their continuing education. Sign up for a free account now.

Basic checklist for Remove Access Security

2012-05-13T20:41:00.000+10:00

The Remote Access Security Checklist

The checklist of must-haves for any remote access policy.

Remote Access Policy Security Checklist

Antivirus software with real-time protection enabled - Make sure company-approved antivirus software is included on all remote access devices and set to update regularly.

Required personal firewall - In addition to antivirus software, a personal firewall should be configured and enabled on all remote devices. If a threat is detected all communications should be blocked.

Defined operating systems - Only allowed operating systems should be able to connect to the corporate network. If your company only uses and supports Windows computers, you should disallow *nix, Macs, etc.

Time out periods – Should be defined and set to when there is no activity on the computer. If there is no activity for 30 minutes for example, enforce a policy so the connection terminates. Be careful to test and make sure a download or upload triggers activity.

Targeted access to systems while on VPN - Only allow access to necessary internal resources. If a department only accesses one application on your internal network only provide them with access to that application.

Non-Disclosure Agreement - Vendors, third party companies, and even employees should sign an NDA in order to gain remote access. This will help protect any confidential information.

Whitepaper: HMI/SCADA System Security Gaps

2012-05-11T20:37:00.000+10:00

Understanding and Minimizing Your HMI/SCADA System Security Gaps

Being at the heart of an operation’s data visualization, control and reporting for operational improvements, HMI/SCADA systems have received a great deal of attention, especially due to various cyber threats and other media-fueled vulnerabilities.

The focus on HMI/SCADA security has grown exponentially in the last decade, and as a result, users of HMI/SCADA systems across the globe are increasingly taking steps to protect this key element of their operations. The HMI/SCADA market has been evolving over the last 20 years with functionality, scalability and interoperability at the forefront.

For example, HMI/SCADA software has evolved from being a programming package that enables quick development of an application to visualize data within a programmable logic controller (PLC) to being a development suite of products that delivers powerful 3-D visualizations, intelligent control capabilities, data recording functions, and networkability. With HMI/SCADA systems advancing technologically and implementations becoming increasingly complex, some industry standards have emerged with the goal of improving security. However, part of the challenge is knowing where to start in securing the entire system.

The purpose of this paper is to explain where vulnerabilities within a HMI/SCADA system may lie, describe how the inherent security of system designs minimize some risks, outline some proactive steps businesses can take, and highlight several software capabilities that companies can leverage to further enhance their security.

Refer here to download this website. (Registration Required)

Top 20 Critical Security Controls

2012-05-09T18:29:00.000+10:00

Twenty Critical Security Controls for Effective Cyber Defense

The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through.

With the change in FISMA reporting implemented on June 1, the 20 Critical Controls become the centerpiece of effective security programs across government These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.

These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.

The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 94% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.

20 Critical Security Controls – Version 3.1Critical Control

by http://www.sans.org

New Study Shows Internet Vulnerabilities Drop, Yet Risks Rise

2012-05-07T19:48:00.000+10:00

Symantec 2011 Security Trends: Beware Insider Threats

There's some good news on the cybersecurity front, for a change: The number of Internet vulnerabilities identified by Symantec dropped 20 percent last year, according to the security technology company's just-released annual Internet Security Threat Report.

The tone of the rest of the report, however, isn't so optimistic. In fact, it's downright gloomy, as the company cautioned the IT security community about an 81 percent uptick in malicious attacks and the expectation of more to come in 2012.

IT managers jittery about defending their organizations' information systems should look over their shoulders from time to time. The insider, as we've been told time and time again, remains - and is likely to continue to be - one of the biggest threats.

"While external threats will continue to multiply, the insider threat will also create headlines, as employees act intentionally - and unintentionally - to leak or steal valuable data," Symantec notes.

Why? Because we're not doing enough to educate employees and customers about security and risk. Symantec's Global Intelligence Network monitors hacking and Internet attacks in more than 200 countries and territories. It also maintains a database that holds almost 48,000 recorded vulnerabilities from nearly 16,000 global vendors.

So, Symantec's analysis is one of the best available, at least where Internet security threats and trends are concerned. The actual number of Internet vulnerabilities identified by Symantec dropped 20 percent from 2010, and Symantec, for its part, blocked more than 5.5 billion malicious attacks in 2011 -- 81 percent more than it blocked the previous year.

Hacking exposed more than 187.2 million identities last year, Symantec found. But the root of most data breaches is not linked to hacks; it's linked to old-fashioned theft and/or sloppy security, such as through the loss of a laptop.

Symantec does offer advice, such as keeping antivirus software up-to-date and enforcing effective password policies. All important, but without the education piece, we won't have a fighting chance.

Refer here to download the report.

VIDEO: 36 websites selling credit card details shut down

2012-05-05T19:03:00.000+10:00

Cybercrime is big business these days, in fact it's an industry

Authorities are taking action against those who are turning cybercrime into such a significant underground industry.

So it's not a surprise to find that criminals are embracing ecommerce. Sophos advised that users will be surprised to discover just how professional and legitimate criminal websites can appear.

The UK's Serious Organised Crime Agency (SOCA), working alongside the FBI and the US Department of Justice, has announced that it has seized the domain names of 36 websites used to sell stolen credit card information.

For instance, watch the following video to see footage of a website that was selling stolen credit card details.

FBI Advises Internet Users To Test For DNSChanger

2012-05-03T18:57:00.000+10:00

Remember to Check for Malware

The FBI is providing greater urgency for computer users to monitor their systems for malware. By July 9, victims of the malware DNSChanger may lose access to the Internet.

Is yours one of the estimated half a million computers infected? Be sure to check by July 9, the date the FBI says victims may lose Internet access. Here are tips from the FBI on how to test your system for the malware.

Russian Hackers Made $4.5 Billion in Cyber Crime

2012-04-30T18:54:00.000+10:00

Russians are hacking into computers and cell phones to make millions!

Few nationalities are as good at making money from hacking than the Russians. Their share of the global cyber crime market, an estimated $12.5 billion black market, doubled last year to $4.5 billion, according to Moscow-based Group-IB, a cyber security services firm working mainly with the Russian government and banks to help reduce online fraud.

Earlier this year, Facebook blew the cover off the malware gang Koobface. All five of their members were Russians from St. Petersburg. Eugene Kapersky, the CEO of software security firm Kaspersky Lab, also based in Moscow, said that the Koobface gang had become millionaires thanks to their hacking skills. “The cybercrime market originating from Russia costs the global economy billions of dollars every year,” said Ilya Sachkov, Group-IB’s CEO.

“Although the Russian government has taken some very positive steps, we think it needs to go further by changing existing law enforcement practices, establishing proper international cooperation and ultimately improving the number of solved computer crimes.”

The word “hacking” can cause tempers to flare up to 120 degrees or more among hard core computer geeks. Not all hacking is intolerable, or illegal. But a lot of it is, and the Russian computer geniuses walk the red carpet within the international hacker community.

Refer here to read the full news.

The Risk of Social Engineering on Control Systems

2012-04-29T19:44:00.000+10:00

Social engineering provides an effective means for attackers to gain access to systems

While many social engineering attempts, such as those that we receive in our inbox every day in the form of spam and phishing emails, are easy for most to recognize, these attempts can also be highly targeted and conducted in a way that is much more difficult to detect.

Phone-based social engineering attempts were recently experienced at two or more power distribution companies. The utilities received a call from a representative of large software company – yes, that one that sold them the operating system on their computers – warning them that their PCs had viruses and to “Please take the following steps so I can help you correct the problem.”

The calls purported to be from the “Microsoft Server Department” informing the utilities that they had a virus. Of course, it wasn’t really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems. The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access).

Fortunately for the customers of those utilities, the transmission managers recognized the social engineering attempts, refused to comply, and hung up. This event points out the need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts.

If you are unsure whether the request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided in a URL or link connected to the request; instead, check previous statements or go to the website directly for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

ICS-CERT recommends that organizations remind users to review US-CERT TIP Avoiding Social Engineering and Phishing Attacks to learn more about what to look out for and what to do if you have fallen victim to this. If you have experienced something similar or think you have revealed sensitive information about your organization, ICS-CERT recommends reporting it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.

In addition, immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. ICS-CERT also encourages reporting these incidents to ICS-CERT or your local ISAC’s for tracking and correlation.

ICS-CERT issued an alert on the US-CERT Secure Portal warning asset owners and operators of this observed activity. ICS-CERT often releases information pertaining to a wide variety of threats on the US-CERT Secure Portal as well as to the ICS-CERT public web page.

Asset owners and operators can request access to this vetted access portal by e-mailing ICS-CERT@dhs.gov.

Source: http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_March_2012.pdf and infosecisland.

The Risks Of Cloud Computing in Plain English

2012-04-26T18:48:00.000+10:00

Know the Risks Before You Head to the Cloud

A "cloud" solution is generally typified by remote access to computing resources and software functionality and frequently involves the storage and maintenance of related data. Today, cloud computing facilitates applications, e-mail, peer-to-peer communication, content sharing, and electronic transactions or storage for nonprofits.

In many respects, the “cloud” has become a synonym for the “Internet” as cloud computing now encompasses nearly all available computing services and resources. Cloud offerings utlilized by nonprofits tend to come in three flavors. Infrastructure as a Service (IaaS) offerings deliver information technology infrastructure assets, such as additional computing power or storage.

Platform as a Service (PaaS) offerings provide a computing platform with capabilities, such as database management, security, and workflow management, to enable end users to develop and execute their own applications. And, Software as a Service (SaaS) offerings provide software applications on a remotely accessible basis. SaaS offerings are probably the most commonly understood type of "cloud" solution.

These benefits create flexibility and potentially lower costs for the cloud customer. It is therefore not surprising that this type of computing solution has rapidly become a key component to the operation of many nonprofit organizations. Despite these potential benefits, cloud computing doesn't come without risk.

Below is a list of legal risks and issues for a nonprofit to consider when procuring or using a cloud solution. These risks and issues can appear as either a contractual or an implementation issue.

Take It or Leave It: Many cloud solution agreements are non-negotiable or more favorable to the provider than the end user, which places a greater emphasis on pre-negotiation analysis in order to work around inflexible contracts.

All Services, All the Time: All computing and software providers are morphing into service providers, and this change may impact the fee structure, term length, and available warranties.

Law Is Behind the Times; Contracts Even More Important: Existing laws and governance models have not kept pace with technological development, and this may leave the contract as the only means for dispute resolution.

It's All Online: Privacy and information security concerns will only increase with cloud usage.

Less Control of Subcontractors: Cloud providers tend to use subcontractors for hosting, storage, and other related services, and these subcontractors may not be readily known or otherwise liable or responsible for performance under the agreement.

Some Things May Not Be Worth the Risk: The inherent risks associated with cloud computing may make its utilization inappropriate for mission-critical I.T. services or resources.

Not Everybody is on the Same Page: Different cloud solutions on different hardware may increase the possibility of incompatibility with outside software or network systems, i.e., compatibility will be dictated by the provider and not by the customer.

Know Your SLAs: Service level agreements (SLAs) vary and may be inadequate and unchangeable.

General Outages May Be Likelier: Shared resources may increase susceptibility to a single-point of failure.

Only What You Need: The terms of a license agreement may not fit the service being offered, e.g., cloud providers may grant themselves a greater right to use a customer’s data or materials than necessary to provide the cloud solution.

Own Your Data: It will be more imperative than ever to hold on to the ownership and secrecy of data and materials used with the cloud solution in order to retain rights and ensure confidential treatment.

Don't Allow a Vendor to Have Zero Responsibility: Be wary of excessive disclaimers and limits and seek the implementation of a credit or refund structure to address outages and downtime.

Am I Covered? Check available insurance policies and consider the insurance policy of the cloud provider to determine if it covers business interruption caused by vendor failure. Know the Exits. Know how to terminate a relationship with a cloud provider and plan for how such termination will unfold in order to minimize disruption caused by transitioning to a new service provider.

Where's Your Data? Understand where a copy of all stored data is physically located.

Seek Jurisdictional Clarity: Data transfer is easy and can create jurisdictional issues because the sites where data is located or transferred and where the related services are performed or received can and will typically be different.

You Need Access to Your Data: Know how to access, audit, hold, and retrieve all data or understand the limits on such data access because regulations and e-discovery rules may mandate particular data storage, protection, and transfer protocols.

Don't Forget Compliance with Law: Regulatory compliance may extend to the cloud provider, particularly, for health, financial, educational, or children’s data, and laws and regulations governing privacy and information security.

Rules Are Different Overseas: The United States has more permissive data and database rules than many other countries, particularly by comparison to Europe, where greater restrictions and rights exist.

Will It Still Be There When Disaster Strikes? Understand the cloud providers' business continuity and disaster recovery practices.

Incorporate Overall Risk Management Strategies: Cloud computing risks may expand the notion of risk from I.T. management to operational management or regulatory compliance.

Everybody Is a Renter: Limited-term software licenses will become the norm with customers not having any ownership rights in the software copy being licensed.

Summary

Courts, governmental authorities, and industry standard-setting bodies may address some of the foregoing concerns. But, until then, organisations considering cloud computing solutions will need to look to their written contracts as the primary vehicle to protect their rights and ensure performance.

Moreover, careful due diligence of cloud providers becomes key. Organisations therefore should consider multiple providers and should not make decisions based purely on cost. Instead, organisations should seek references and involve their key decision-makers and outside advisors to assist with the procurement process in order to ensure a thorough evaluation of the potential risks and issues with cloud computing.

Managing The Threat Landscape for SAP Systems

2012-04-24T18:09:00.000+10:00

A Ten Step Guide to Implementing SAP’s New Security Recommendations

SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP.

According to SAP, the guidance provided in the whitepaper is intended to help customers protect “ABAP systems against unauthorized access within the corporate network”. In fact, many of the recommendations can also be used to protect SAP systems against remote attacks originating outside such a network. These attacks are targeted at the technical components of SAP Netweaver that are responsible for managing user authentication, authorization, encryption, passwords and system interfaces, as well as underlying databases and operating systems.

Breaches in these components can enable attackers to take complete control of an SAP environment. The following is a quick guide to help you comply with SAP’s recommendations.

1. Disable unnecessary network ports and services. In most cases, this means blocking all connections between end user networks and ABAP systems other than those required by the Dispatcher (port 32NN), Gateway (33NN), Message Server (36NN) and HTTPS (443NN). NN is a placeholder for your SAP instance number. Administrative access should only be allowed through secure protocols such as SSH and restricted to dedicated subnets or workstations through properly configured firewall rules.

2. Install the latest version of SAP GUI. This should be 7.10 or 7.20 with activated security rules configured with the ‘Customized’ setting and the ‘Ask’ default action.

3. Implement strong password policies, restrict access to password hashes in tables and activate the latest hashing algorithms. SAP does not specify the exact settings for password policy parameters but you should use frameworks such as the PCI DSS as a proxy. Refer to section 8.5 of the standard. Default passwords should be changed for standard users and the password hashing mechanism should be upgraded to the latest version available for your system. Wherever possible, downward-compatible hashes should be removed from the database.

4. Enable SNC and SSL. SAP client and server communication traffic is not cryptographically authenticated or encrypted. Therefore, data transmitted within SAP networks can be intercepted and modified through Man-In-The-Middle attacks. Secure Network Communication (SNC) should be used for mutual authentication and strong encryption. This can be performed natively if both servers and clients run on Windows. You will need to use a third party product to secure connections between heterogeneous environments such as AIX to Windows. SNC will secure network communication using the SAP DIAG and RFC protocols. For Web-based communication, you should switch to HTTPS/ SSL and restrict access to the relevant cryptographic keys.

5. Restrict ICF services. Many of the services enabled by default in the Internet Communication Framework (ICF) are open to abuse and could enable unauthorized and malicious access to SAP systems and resources. At a very minimum, you should deactivate the dozen or so services mentioned by SAP in the white paper. This can be performed through transaction SICF.

6. Secure Remote Function Calls (RFC). Wherever possible, remove trust relationships between systems with differing security classifications and hardcoded user credentials in RFC destinations. The belief that RFC connections using SAP_ALL privileges is fine as long as the user type is set to dialog is a myth. This represents a serious risk to the integrity of information in SAP systems.

7. Secure the SAP Gateway. The Gateway is used to manage RFC communications which support SAP interfaces such as BAPI, ALE and IDoc. Access Control Lists (ACL) should be created to prevent the registration of rogue or malicious RFC servers which can lead to the interruption of SAP services and compromise data during transit. You should also enable Gateway logging and disable remote access.

8. Secure the SAP Message Server. The Message Server is primarily a load balancer for SAP network communications. Similar to the Gateway, it has no default ACL which means it is open to the same type of attacks. You should filter access to the Message Server port using a firewall and create an ACL for all required interfaces.

9. Regularly patch SAP systems. Implement missing SAP Security Notes and patch systems at least once a month. Security Notes can be downloaded from the SAP Service Market Place.

10. Regularly monitor the SAP security configuration. Standard SAP services such as EarlyWatch (EWA) and the Computing Center Management System (CCMS) can be used to monitor some security-relevant configurations. However, they do provide the same coverage as professional-grade security tools such as those used to perform SAPSCAN, a vulnerability assessment specifically engineered for SAP systems. SAPSCAN automatically reviews the configuration of your SAP environment against SAP security recommendations and hundreds of other vulnerabilities not included in the SAP white paper.

Reference: Layer Seven Security

5 Common Types of Security Professionals

2012-04-22T20:42:00.000+10:00

Information Security is all about managing risk not scaring people!

Information Security Profession is a fascinating and an interesting field but we do have some interesting characters!

Today, I'll be presenting 5 most common types of security professional you will see/meet in your career.

5 – The NO-MASTER

Have you ever been to a meeting that goes where security professional instead of listening to the business requirements and trying to meet their expectations with reasonable security controls, he/she cans the idea straight off the bat.

What happens next is simple: business escalating to the Executives who basically mandate/bypass all the policies(because they can). The NO-master just missed a great opportunity to make a difference, and position himself/ herself as a contributor, rather than a roadblock!

Example:

So as part of our growth strategy, we are planning to have a company presence on Facebook, and also advertise on Twitter.

so… - No way! - Sorry Jimmy, did you say something? - Yes, I said no way we are opening Facebook for employees, nor publishing any company related information in it. But all the other companies out there are already.

What do you prefer? Being on Facebook or being hacked?

Ok, Security didn’t approve it, we are not going to use Facebook then.

4 – The By-The-Book Preacher

Here is another truth, if it’s written, it’s right! A typical scenario:

This machine needs to be patched right now! I know that this machine is not sitting in our external DMZ, but patching best-practice/our policy says that critical patches must be installed X hours after being released!

You will find hundreds of Information Security Professionals like this. There is no context applied, there is no risk profiling, it needs to be done because the book/policy say so.

As a security professional, you are not paid to stick to a manual. You are paid to help the business to understand what the risks are, and the consequences of their (lack of) actions.

Information Security is all about managing risk. In the real world, some rules need to be bent occasionally provided that you know what the risk is to satisfy an SLA or to meet a business requirement.

Asking your support team to bring down the whole payroll system on the 30th of the month because a critical Microsoft patch was released is not the way to manage risk in efficient manner.

This type of security professional goes hand in hand with the NO-Master. All those security professionals who fit in this type should apply your knowledge and use the policies and books and procedures as a reference.

They should understand business comes first and if a decision has to be made between security and being available, you going to lose credibility.

3 – The Dinosaur

There is nothing he/she hasn’t seen before, there will always be a real life FUD story to back up their claims.

The dinosaurs are one of the hardest to fight against because they know it all.

Their philosophy is simple:

Everything boils down to access control. If people are not allowed to do something, you have nothing to worry about. I have to say I agree with this person to an extent, but to dismiss the fact that there are exploits out there that could give unauthorized user super privileges goes beyond access control.

2 – The Technology-Solves-It-All

Setting up a firewall might take you a couple of hours, but teaching someone why they cannot download uTorrent takes years. And sometimes not even years will do.

But it doesn’t necessarily mean that technology will substitute the need to have well trained human beings with well-defined processes in place. The tool should exist to make the process viable, and not vice-versa.

Example:

Hey Adri, we have antivirus installed, the scan is set to run on a weekly basis, the signature files are being updated on a daily basis, why do we need to implement monitoring of our antivirus console?

You will notice, conversations like this happens every day

1 – The paranoid

These ones are the most dangerous and insecure professionals.

The paranoid sends you SMS at 3 in the morning about an article they read about a just-disclosed compromise in company X. They also call you to make sure you got the SMS. The paranoid asks you to send emails from your work e-mail, they don’t trust Hotmail accounts.

You could have met someone who is a little bit of all of the above, "NO COMMENT"!

Why Cyber Security is Critical for Smart Grid?

2012-04-19T20:29:00.000+10:00

Critical Issues for the security requirements of Smart Grid!

Power system operations pose many security challenges that are different from most other industries. For instance, most security measures were developed to counter hackers on the Internet.

The Internet environment is vastly different from the power system operations environment. Therefore, in the security industry there is typically a lack of understanding of the security requirements and the potential impact of security measures on the communication requirements of power system operations.

In particular, the security services and technologies have been developed primarily for industries that do not have many of the strict performance and reliability requirements that are needed by power system operations.

Security services for instance:

Operation of the power system must continue 24×7 with high availability (e.g. 99.99% for SCADA and higher for protective relaying) regardless of any compromise in security or the implementation of security measures which hinder normal or emergency power system operations
Power system operations must be able to continue during any security attack or compromise (as much as possible). Power system operations must recover quickly after a security attack or compromised information system
The complex and many-fold interfaces and interactions across this largest machine of the world – the power system – makes security particularly difficult since it is not easy to separate the automation and control systems into distinct “security domains”. And yet end-to-end security is critical
There is not a one-size-fits-all set of security practices for any particular system or for any particular power system environment
Testing of security measures cannot be allowed to impact power system operations
Balance is needed between security measures and power system operational requirements. Absolute security may be achievable, but is undesirable because of the loss of functionality that would be necessary to achieve this near perfect state
Balance is also needed between risk and the cost of implementing the security measures.

In the Smart Grid, there are two key purposes for cyber security:

Power system reliability

Keep electricity flowing to customers, businesses, and industry. For decades, the power system industry has been developing extensive and sophisticated systems and equipment to avoid or shorten power system outages. In fact, power system operations have been termed the largest and most complex machine in the world.

Although there are definitely new areas of cyber security concerns for power system reliability as technology opens new opportunities and challenges, nonetheless, the existing energy management systems and equipment, possibly enhanced and expanded, should remain as key cyber security solutions.

Confidentiality and privacy of customers

As the Smart Grid reaches into homes and businesses, and as customers increasingly participate in managing their energy, confidentiality and privacy of their information has increasingly become a concern.

How can security requirements for smart grid interfaces be determined?

There is no single set of cyber security requirements and solutions that fits each of the Smart Grid interfaces. Cyber security solutions must ultimately be implementation-specific, driven by the configurations, the actual applications, and th e varying requirements for security of all of the functions in the system.

That said, “typical” security requirements can be developed for different types of interfaces which can then be used as checklists or guidelines for actual implementations. Typically, security requirements address the integrity, confidentiality, and availability of data.

However, in the Smart Grid, the complexity of stakeholders, systems, devices, networks, and environments precludes simple or one-size-fits-all security solutions. Therefore, additional criteria must be used in determining the cyber security requirements before selecting the cyber security measures.

These additional criteria must take into account the characteristics of the interface, including the constraints and issu es posed by device and network technologies, the existence of legacy systems, varying organizational structures, regulatory and legal policies, and cost criteria.

Once these interface characteristics are applied, then cyber security requirements can be applied that are both specific enough to be applicable to the interfaces, while general enough to permit the implementation of different cyber security solutions that meet the cyber security requirements or embrace new security technologies as they are developed.

This cyber security information can then be used in subsequent steps to select cyber security controls for the Smart Grid.

Ernst & Young: Attacking the smart grid

2012-04-17T19:25:00.000+10:00

Penetration testing techniques for industrial control systems and advanced metering infrastructure

The industrial control systems that provide automation for critical infrastructure have recently come under increased scrutiny, and the need to protect current infrastructure as well as integrate security into new system design is now a top priority. Penetration testing has become the latest trend in the ICS space; however, the cultural and technological differences between control systems and traditional IT systems have caused confusion around how to perform a penetration test safely and effectively.

In this briefing, we will discuss the changing landscape in control system architecture, with special attention paid to smart grid infrastructure, and highlight the implications for security. A description of the lifecycle of a penetration test is followed by a breakdown of a typical ICS infrastructure. Specific penetration testing activities are explained for each component to provide insight for control system engineers and management into how penetration testing can benefit their organization.

Refer here to download the whitepaper.

Insufficient security controls for smart meters

2012-04-15T19:14:00.000+10:00

Smart meters are not secure enough against false data injection attacks

False data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection; experts say current generation of smart meters are not secure enough against false data injection attacks nCircle the other day announced the results of a survey of 104 energy security professionals.

The survey was sponsored by nCircle and EnergySec, a DOE-funded public-private partnership that works to enhance the cyber security of the electric infrastructure. The online survey was conducted between 12 March and 31 March 2012.

When asked, “Do smart meter installations have sufficient security controls to protect against false data injection?” 61 percent said “no.” Power grids connect electricity producers to consumers through interconnected transmission and distribution networks. In these networks, system monitoring is necessary to ensure reliable power grid operation.

The analysis of smart meter measurements and power system models that estimate the state of the power grid are a routine part of system monitoring. An nCircle release notes that false data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection. Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection. It doesn’t help that some communication protocols used by the smart meter infrastructure don’t offer much protection against false data injection either.

Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity.

Elizabeth Ireland, vice president of marketing for nCircle, noted, “A false data injection attack is an example of technology advancing faster than security controls."

This is a problem that has been endemic in the evolution of security and it’s a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user.

Satellite Communications for SCADA equipment monitoring

2012-04-13T20:06:00.000+10:00

Benefits of satellite communications

Benefits of introducing a satellite communication link into SCADA systems include:

Ubiquitous service territory closes gaps in terrestrial coverage
Fast cost-effective deployment with low hardware and installation costs
More reliable than congested cellular data networks
Benefits of remote monitoring

Benefits of monitoring and controlling oil & gas and utilities equipment remotely include:

Higher operational efficiencies
Reduced site visits Improved safety
Increased scalability

About this white paper:

"Satellite Communications for SCADA Equipment" outlines the benefits of remote monitoring and shows how satellite communications equipment fits into the SCADA monitoring system. It also discusses how to connect to an RTU using satellite messaging terminals and explores cost structure for mass deployment.

Timely information about asset health and behavior, along with software applications that organize data and implement work flows, allows oil and gas companies to save time and streamline processes that previously required arduous paperwork and manually tracked decision-making.

Refer here to download the whitepaper.