Cloud Hosting

MERRILLVILLE, Ind. and EAST GREENBUSH, N.Y., June 8, 2021 /PRNewswire-PRWeb/ -- Cimcor is pleased to announce that it is the recipient of the first-ever Center for Internet Security (CIS) Benchmarks Configuration Certification. The Center for Internet Security has provided this certification for the CimTrak Integrity Suite running on CIS CenOS Linux 7 Benchmark Level 1 and Level 2.

Providing a comprehensive set of security, auditing, and compliance tools to ensure the integrity of an IT infrastructure, the CimTrak Integrity Suite provides a streamlined way to bring Benchmark security to customers without impacting product, service, or system performance. The CIS Configuration Certified program certifies a product or service's configuration is in conformance with or can run in an environment configured to the CIS Benchmarks, which are consensus-based, vendor-agnostic, secure configuration guidelines for the most commonly used systems and technologies.

"We believe that systems that have been hardened in accordance to CIS Benchmarks, are the foundation of a secure infrastructure. We are proud to be the first security company to receive CIS Benchmarks Configuration Certification," said Robert E. Johnson, III, President and CEO of Cimcor, Inc. "This certification validates our commitment to CIS best practices and our commitment to creating world-class security software to deliver integrity, security, and compliance throughout the enterprise."

The new CIS Benchmarks Configuration Certification enables vendors to develop new products with the CIS Benchmarks built-in, tested, and certified at outset. Building this confidence into the products takes the guesswork out of knowing whether or not a CIS Benchmarks-hardened environment will work without impact.

"Cimcor has demonstrated a strong commitment in providing customers with the ability to ensure their assets are secured according to consensus-based best practice standards," said Curtis Dukes, CIS Executive Vice President and General Manager, Security Best Practices. "Their customers won't have to reconfigure anything because the certification has demonstrated it will work straight out of the box."

The new Configuration Certification pilot is open to a number of environments and use cases, including:

Cimcor develops innovative, next-generation, compliance, and system integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. CimTrak helps reduce configuration drift and ensure that systems are in a secure and hardened state. Securing your infrastructure with CimTrak helps you get compliant and stay that way. For more information, visit http://www.cimcor.com/cimtrak.

The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.

Read the original:
CIS Awards Cimcor With First-Ever Benchmarks Configuration Certification - pdclarion.com

Following the IEC 62443 standard for security software development ensures quality, safety and security

The importance of industrial automation and control systems (IACS) to the critical operations we rely on cannot be overstated. From manufacturing of consumer and commercial products to power generation and water supply to HVAC for the offices where we once worked in before COVID-19 (well be back) to smart utility metering for our homes and so much more, these systems are essential to our lives and our economy. It goes without question that keeping these systems secure is a must.

A cybersecurity event targeting ICAS has the potential to have a devastating impact. And, as these devices and systems become smarter, more interconnected and exposed to the Internet, security challenges continue to rise and risk becomes exponentially greater. In fact as highlighted by its Year in Review 2020 report, industrial cybersecurity company, Dragos, saw a threefold increase of cyber threats to ICAS last year.

As stated earlier, these ICAS devices are becoming smarter. This is a result of more complex embedded software enabling remote functionality, automation and analytics. With more complex software, there are now more lines of code which can introduce N-day and 0-day vulnerabilities if not diligently tested throughout the software development life cycle (SDLC).

Thankfully, there are standards for developing secure software, such as IEC 62443, designed to help ensure software code embedded in ICAS devices is free of vulnerabilities. The IEC 62443-4-1 standard (Security for industrial automation and control systemsPart 4-1: Secure product development lifecycle requirements) defines specific requirements for using a secure development lifecycle in the design, implementation, maintenance and testing of products used in industrial automation and control systems.

GrammaTech together with Exida, a leading certification company specializing in ICAS functional safety and cybersecurity, recently issued a joint whitepaper, Using GrammaTech CodeSentry and CodeSonar to Improve Software Security and Comply with IEC 62443.

In this whitepaper, Exida details how GrammaTechs CodeSentry (Binary Software Composition Analysis SCA) and CodeSonar (Static Application Security Testing SAST) tools can be integrated into an ICAS suppliers SDLC and DevSecOps processes to help comply with the IEC 62443 standard.

Exida describes two major contributors to security vulnerabilities found in products today, which are implementation weaknesses in programs created in languages such as C and C++ and the use of Third-Party Software (TPS). The CodeSentry and CodeSonar tools can address both of these issues.

CodeSonar can be seamlessly integrated into the SDLC to continually find and remediate errors and vulnerabilities in code. With CodeSentry, you can perform a binary analysis to identify the open-source and third-party software components of the software to generate a software bill of materials (SBOM) and vulnerability report.

This whitepaper introduces common causes of security vulnerabilities including implementation programming weaknesses in programing languages and TPS. In addition, it describes TPS types, specific TPS security challenges and provides guidance on how to use the GrammaTech CodeSentry and CodeSonar tools in a workflow to select and manage TPS and overall product security.

If developing secure and vulnerability free code is your priority, we encourage you to the download and read our whitepaper.

To see CodeSentry and CodeSonar in action and how our solutions can solve your specific requirements, book an evaluation today.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Christian Simko. Read the original post at: https://blogs.grammatech.com/iec-62443-securing-industrial-automation-and-control-systems-starts-in-software-development

Link:
Securing Industrial Automation and Control Systems Starts in Software Development - Security Boulevard

This 95-page report is the first comprehensive offering from the long list of Senate and House committees that are investigating various matters related to the Capitol insurrection. It's by far one of the most thorough fact-finding efforts and was released Tuesday in a bipartisan fashion.

Two Senate committees on Tuesday released the most comprehensive government report on the security failures leading up to the US Capitol insurrection on January 6, revealing new details about unheeded warnings, critical miscommunications and intelligence shortcomings.

Congressional investigators pored through thousands of documents, received written statements from 50 police officers who defended the Capitol and received testimony from a wide array of current and former officials who played a role in the security preparations and response.

READ: Bipartisan Senate report investigating January 6 Capitol attack

Here are six takeaways from the report and its recommendations, which were released on a bipartisan basis by the Senate Rules Committee and the Senate Homeland Security Committee.

The report concluded that the US Capitol Polices main intelligence unit was aware of the potential for violence in the days and weeks ahead of January 6. Period. Full stop. They were warned.

But not everyone was aware. The inquiry determined that USCPs decentralized intelligence operation meant some people saw these warnings while other officials were left in the dark.

RELATED: Injured Capitol Police officer in emotional statement to court: You have stolen moments away from me that I cant get back

The Metropolitan Police Department in Washington, DC, told Capitol Police that hotel bookings roughly doubled in comparison to pro-Trump rallies in November and December, the Senate report said.

It was becoming clear to security officials and ordinary citizens alike that January 6 would be different. A private citizen emailed USCPs general mailbox on December 28 saying there were tweets from people organizing to storm the Capitol on January 6th, according to the report.

Still, USCP maintained its assessment that January 6 would likely resemble the minor pro-Trump rallies in November and December.

The report said, The USCP Chief has no unilateral authority to request assistance from the National Guard. This is a simple statement, but it explains a lot about the failures that day.

Then-Capitol Police Chief Steven Sund wanted to call in the troops for backup but needed to coordinate with other Hill security officials. When the officials tried to deal with the request, they were unfamiliar with the laws and regulations that needed to be followed, the inquiry found.

The red tape hindered the much-needed National Guard response, according to the report. And thats why one of the first recommendations from the Senate report is to empower the Capitol Police chief to have unilateral authority to request military support in emergency situations.

It seems like a no-brainer, but for this to happen, Congress will need to pass a new law.

The Senate inquiry uncovered some embarrassing failures within the civil disturbance unit of the Capitol Police, which is essentially the forces riot police or emergency response squad.

The Capitol Police activated seven of these special units in advance of January 6, but only four of those platoons were outfitted special protective equipment like helmets and shields, the report said. And when one of the platoons tried to get its equipment, it was on a locked bus.

The senators recommended that the special unit receive better training and more funding.

Plenty of Trump supporters posted plenty of violent threats and dangerous assertions on the internet in the run-up to January 6. The report said these were found on message boards, social media, memes, or hashtags. But intelligence officials struggled with how aggressively to police political speech, and how to differentiate the real threats from typical internet nonsense.

FBI and (Department of Homeland Security) officials stressed the difficulty in discerning constitutionally protected free speech versus actionable, credible threats of violence, the report said, noting that officials have said they need to make improvements and do better in the future.

Weve already heard from many of the brave police officers who risked their lives defending the Capitol, including some who were injured and others who engaged in hand-to-hand combat.

But the report fleshed this out, providing new accounts from the frontlines of the battle.

We did what we could against impossible odds and a volatile crowd which many times threatened us with phrases like Were gonna kill you!' one officer told the committees. I felt at this time a tangible fear that maybe I or some of my colleagues might not make it home alive.

Another officer described how they were called a Nazi. Black officers have spoken out about the racial abuse at the hands of the mob, including being called the N-word. In a previously unreported incident, one officer said they saw someone give a Nazi salute to the Capitol.

This 95-page report is the first comprehensive offering from the long list of Senate and House committees that are investigating various matters related to the Capitol insurrection. Its by far one of the most thorough fact-finding efforts and was released Tuesday in a bipartisan fashion.

But as comprehensive as it is, it only examined one piece of the bigger puzzle. It looked at the security, planning and response failures by law enforcement. But what about efforts by extremist groups to plan for violence in DC? What about former President Donald Trump and the Republican officials who fanned the flames? Congress isnt equipped to probe these issues.

Senate aides said investigators intentionally avoided the most politicized topics like Trumps culpability because they wanted to keep the probe bipartisan. Sources told CNN that to keep Republicans in the fold, the report avoided using the word insurrection to describe the attack.

Apparently, the Senate investigation was significantly watered down before it even started.

This is one the many reasons why so many Democrats, Republicans, former US officials, national security experts, and US Capitol Police officers agree that there should be an independent commission to investigate January 6. Not just to look at narrow questions but to examine the big picture extremism, disinformation, radicalization, incitement, and much more.

Senate Republicans blocked a bill to establish a commission, which now appears to be dead.

Read the original here:
Takeaways from the Senate report on January 6 security failures - WTOP

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSBs website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The reason I contacted the FSB one of the successor agencies to the Russian KGB ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSBs own preferred method of being contacted.

KrebsOnSecurity was seeking comment from the FSB about a blog post published by Vladislav BadB Horohorin, a former international stolen credit card trafficker who served seven years in U.S. federal prison for his role in the theft of $9 million from RBS WorldPay in 2009. Horohorin, a citizen of Russia, Israel and Ukraine, is now back where he grew up in Ukraine, running a cybersecurity consulting business.

Horohorins BadB carding store, badb[.]biz, circa 2007. Image: Archive.org.

Visit the FSBs website and you might notice its web address starts with http:// instead of https://, meaning the site is not using an encryption certificate. In practical terms, any information shared between the visitor and the website is sent in plain text and will be visible to anyone who has access to that traffic.

This appears to be the case regardless of which Russian government site you visit. According to Russian search giant Yandex, the laws of the Russian Federation demand that encrypted connections be installed according to the Russian GOST cryptographic algorithm.

That means those who have a reason to send encrypted communications to a Russian government organization including ordinary things like making a payment for a government license or fine, or filing legal documents need to first install CryptoPro, a Windows-only application that loads the GOST encryption libraries on a users computer.

But if you want to talk directly to the FSB over an encrypted connection, you can just install their own client, which bundles the CryptoPro code. Visit the FSBs site and select the option to transfer meaningful information to operational units, and youll see a prompt to install a random number generation application that is needed before a specific contact form on the FSBs website will load properly.

Mind you, Im not suggesting anyone go do that: Horohorin pointed out that this random number generator was flagged by 20 different antivirus and security products as malicious.

Think well before contacting the FSB for any questions or dealing with them, and if you nevertheless decide to do this, it is better to use a virtual machine, Horohorin wrote. And a spacesuit. And, preferably, while in another country.

Antivirus product detections on the FSBs VPN software. Image: VirusTotal.

Its probably worth mentioning that the FSB is the same agency thats been sanctioned for malicious cyber activity by the U.S. government on multiple occasions over the past five years. According to the most recent sanctions by the U.S. Treasury Department, the FSB is known for recruiting criminal hackers from underground forums and offering them legal cover for their actions.

To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp., enabling them to engage in disruptive ransomware attacks and phishing campaigns, reads a Treasury assessment from April 2021.

While Horohorin seems convinced the FSB is disseminating malware, it is not unusual for a large number of security tools used by VirusTotal or other similar malware sandbox services to incorrectly flag safe files as bad or suspicious an all-too-common condition known as a false positive.

Late last year I warned my followers on Twitter to put off installing updates for their Dell products until the company could explain why a bunch of its software drivers were being detected as malware by two dozen antivirus tools. Those all turned out to be false positives.

To really figure out what this FSB software was doing, I turned to Lance James, the founder of Unit221B, a New York City based cybersecurity firm. James said each download request generates a new executable program. That is because the uniqueness of the file itself is part of what makes the one-to-one encrypted connection possible.

Essentially it is like a temporary, one-time-use VPN, using a separate key for each download James said. The executable is the handshake with you to exchange keys, as it stores the key for that session in the exe. Its a terrible approach. But its what it is.

James said the FSBs program does not appear to be malware, at least in terms of the actions it takes on a users computer.

Theres no sign of actual trojan activity here except the fact it self deletes, James said. It uses GOST encryption, and [the antivirus products] may be thinking that those properties look like ransomware.

James says he suspects the antivirus false-positives were triggered by certain behaviors which could be construed as malware-like. The screenshot below from VirusTotal says some of the files contents align with detection rules made to find instances of ransomware.

Some of the malware detection rules triggered by the FSBs software. Source: VirusTotal.

Other detection rules tripped by this file include program routines that erase event logs from the users system a behavior often seen in malware that is trying to hide its tracks.

On a hunch that just including the GOST encryption routine in a test program might be enough to trigger false positives in VirusTotal, James wrote and compiled a short program in C++ that invoked the GOST cipher but otherwise had no networking components. He then uploaded the file for scanning at VirusTotal.

Even though James test program did nothing untoward or malicious, it was flagged by six antivirus engines as potentially hostile. Symantecs machine learning engine seemed particularly certain that James file might be bad, awarding it the threat name ML.Attribute.HighConfidence the same designation it assigned to the FSBs program.

KrebsOnSecurity installed the FSBs software on a test computer using a separate VPN, and straight away it connected to an Internet address currently assigned to the FSB (213.24.76.xxx).

The program prompted me to click on various parts of the screen to generate randomness for an encryption key, and when that was done it left a small window which explained in Russian that the connection was established and that I should visit a specific link on the FSBs site.

The FSBs random number generator in action.

Doing so opened up a page where I could leave a message for the FSB. I asked them if they had any response to their program being broadly flagged as malware.

The contact form that ultimately appeared after installing the FSBs software and clicking a specific link at fsb[.]ru.

After all the effort, Im disappointed to report that I have not yet received a reply. Nor did I hear back from S-Terra CSP, the company that makes the VPN software offered by the FSB.

James said that given their position, he could see why many antivirus products might think its malware.

Since they wont use our crypto and we wont use theirs, James said. Its a great explanation on political weirdness with crypto.

Still, James said, a number of things just dont make sense about the way the FSB has chosen to deploy its one-time VPN software.

The way they have set this up to suddenly trust a dynamically changing exe is still very concerning. Also, why would you send me a 256 random number generator seed in an exe when the computer has a perfectly valid and tested random number generator built in? Youre sending an exe to me with a key you decide over a non-secure environment. Why the fuck if youre a top intelligence agency would you do that?

Why indeed. I wonder how many people would share information about federal crimes with the FBI if the agency required everyone to install an executable file first to say nothing of one that looks a lot like ransomware to antivirus firms?

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSBs clear web site, the agencys Tor site does not ask visitors to download some dodgy software before contacting them.

The application is running for a limited time to ensure your safety, the instructions for the FSBs random number generator assure, with just a gentle nudge of urgency. Do not forget to close the application when finished.

Yes, dont forget that. Also, do not forget to incinerate your computer when finished.

Excerpt from:
Adventures in Contacting the Russian FSB Krebs on Security - Krebs on Security