Important Cybersecurity News (January 12th, 2018)
What is going on with Meltdown and Spectre?
By now you’ve seen news about two security issues that affect nearly all computers, named Meltdown and Spectre. A group of computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is important to all of us because it affects almost every computer on our member networks, including your workstation and practically all our servers.
This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system in computer memory. This hardware bug breaks that isolation. If you’d like to see more information, please see this link.
So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or a browser, your emails, instant messages and even mission-critical documents. Obviously, this is concerning and it means that we have an exposure. There has not yet been an attack or exploit used in relation to this flaw at any member and we are monitoring member networks from the Security Operations Center (SOC) at the System to help ensure that if we see any behavior that is out of the ordinary we can help members take action. The SOC has seen some beginning preparations for exploiting these flaws out on the Internet.
What Are We as A&M Doing About This?
Recently, I asked all member Chief Information Officers and Information Security Officers to meet on the phone to discuss a strategy to address these flaws. Even though there has been a lot of confusing rhetoric surrounding these vulnerabilities, it is clear that we need to update and patch all machines on all of our networks. This is going to take some time, and I note that some of the patches are not available yet, but are being delivered by the various vendors including Intel, Microsoft, Apple and others. Already, many of your IT staff have begun to update machines with available patches and updates.
In the meantime, we need you to be extra vigilant, with cybersecurity top of mind and patient as your IT personnel apply patches and updates. Even though this is considered a high-impact, low-probability flaw in the CPUs of the machines we all use, hackers are still out there attempting to get you to fall for whatever scheme they have going on. Think carefully before you click on links and respond to e-mails. Please report any suspicious activity to your local Information Security Officer. Also, you should update your home devices anytime there’s an update available too. This will ensure you have the latest protections against exploits. We see a lot of malware enter into the A&M environments coming from personal devices.
Danny Miller, C|CISO, CISA, ITIL, CRISC, CGEIT, QSA, QAR | System Chief Information Security Officer
Office of the Chief Information Officer
Tel: 979-458-6433 | Mobile: 409-600-1614
National Privacy Day
January 28th is National Data Privacy Day, an educational initiative focused on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.
To understand the importance of National Data Privacy Day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.
Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.
Foundational steps to provide protection to systems:
- Patching: make sure computers, mobile devices, apps and anything else connected to the Internet are up-to-date.
- Backups: even some ransomware may be able to infect up-to-date systems, which means the second best way to combat this is to back up your data very regularly. When you lose data, you can recover that information from a backup.
- Be aware of phishing attacks: Don’t fall for that e-mail that looks somewhat official. Question the validity of every e-mail. If it is suspicious, it’s likely a phishing e-mail with an infected file attached or a bogus link in the e-mail.
SANS has an excellent program called Securing the Human which seeks to educate all of us regarding security awareness in these uncertain times. Follow this link to go to their short but really excellent video vignettes in security awareness.
The cybersecurity function here at The Texas A&M University System is focused on the following areas of cybersecurity:
- State & Federal Requirements (security + breach) – Texas Bus & Comm code ¶ 521.053, TAC 202, TAC 206, FERPA, FISMA, etc.
- Security through a shared-service model or Security Operations Center (SOC)
- Monitoring our networks and the state of our network
- International Requirements (TAMUS overseas)
- Legal matters when there is an investigation or forensic review
- Privacy issues
- Business issues (PCI, research granting, private donations, etc.)
- Intellectual Property (identification, valuation, security)
- Key personnel security (fraud, blackmail, extortion)
- Student information security
- Third Parties
- Physical Security
In many ways though, even as we find ourselves improving and hardening our infrastructure to withstand the attacks of known and unknown entities, the common thread which consistently exposes important information is our own people. We must continue to build our monitoring and defensive capabilities at the members and at the newly-formed Security Operations Center (SOC) to provide good and complete security over our information assets while also providing an environment that fosters collaboration and collegial relationships between genuine research and learning partners.
Threatpost | The first stop for security news
The First Stop For Security News