DoD

The DoD Cybersecurity Policy Chart

November 11, 2018 By William Knowles

By William Knowles @c4i
Senior Editor
InfoSec News
November 11, 2018
Updated November 13, 2018

The goal of the DoD Cybersecurity Policy Chart, developed by the Cyber Security and Information Systems Information Analysis Center (CSIAC) is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts, and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.

At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side of the Cybersecurity Policy Chart, there are boxes, which identify key legal authorities, federal/national level Cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can be found in the Chart.

Click on the image above to download an interactive copy of .pdf of the DoD Cybersecurity Policy Chart, The chart was last updated on September 25, 2018.

Malware Scam Uses NSA/CSS Seal

July 26, 2018 By William Knowles

By William Knowles @c4i
Senior Editor
InfoSec News
September 29, 2014

For an agency that for the longest time used to be known as No Such Agency, now thanks to Edward Snowden it’s on center stage for everyone including malware writers.

The NSA Public Affairs Office is alerting the public of a scam that uses the NSA/CSS seals and banner. Victims of this malware scam report that a pop-up or a locked Internet browser alerts them that they have violated the law and/or are being monitored. Depending on where they are in the world, the latter part is likely true.

The malware scammer may also request that victims pay a fine. This activity and the associated alerts have no affiliation to the federal government, NSA included, and no money should be paid to the scammers.

Victims should consult a computer professional on how to address the computer infection. Victims may also contact the Internet Crime and Complaint Center, a partnership between the FBI and the National White Collar Crime Center that accepts Internet-related criminal complaints.

The NSA recommends users looking for more information on malware to review the NIST Guide to Malware Incident Prevention and Handling.

DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS

July 26, 2018 By William Knowles

CVC8

By William Knowles @c4i
Senior Editor
InfoSec News
July 1, 2014

XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec Institute and the EC-Council are vulnerable to a Cross-site scripting (XSS) attack.

Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to a bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013.

According to XSSposed, the InfoSec Institute has not one, two, three, four, five, six, but SEVEN XSS vulnerabilities discovered this week.

This most recent XSS vulnerability to the EC-Council is to their portal page where their customers sign in. This is not the only XSS vulnerability to their site, The Hacker News reported one back in 2011 and Rafay Baloch and Deepanker Arora discovered another in 2013.

In a previous Web defacement statement, the “EC-Council takes the privacy and confidentiality of their customers very seriously.” Regardless, the EC-Council Web site was compromised three times during a single week in February 2014. Since the breach, EC Council has neither confirmed nor denied allegations that the attacker exfiltrated thousands of passports, drivers. licenses, government, and military Common Access Cards (CAC).

It seems neither organization is practicing what they preach for thousands of taxpayer’s dollars training the next generation of cyber warriors.

A (supposedly) expert team of information security instructors founded the InfoSec Institute in 1998. Their goal was to build a business by offering the best possible training experience for students.’ ‘InfoSec Institute deeply understands the needs of today’s IT professionals and is best positioned to offer world-class training.

The EC-Council is an Albuquerque New Mexico based organization that offers security professionals a reasonably inexpensive certificate among other security certificates to be compliant with Department of Defense standard 8570.

Photo by Richard Termine Photography

For EC-Council, Mum’s the word

July 25, 2018 By William Knowles

By William Knowles @c4i
Senior Editor
InfoSec News
March 12, 2013

We have been following the compromise, Web defacement, and subsequent silence of EC-Council for a couple of weeks now. On February 22nd the Albuquerque, NM-based EC-Council Web site was broken into and defaced three separate times. If you hold a certification from EC-Council your confidential information is rumored to have been stolen during this period.

After the EC-Council administrators wrested back control of their site the first time, a known password was used to deface the Web site again. The second defacement showed the mail from Edward Snowden’s Yokota Air Base email address requesting an exam code, along with a copy of his U.S. Passport and a letter signed by John A. Niescier, an Information Security Officer with the Department of Defense Special Representative, Japan.

All told, the website was compromised three times in a single week.

Conspiracy rumors abound about who attacked the EC-Council Web site. Foreign training companies, Secret Squirrels, The Chinese, The Russians, Non-state actors were all considered possible suspects. However, the folks at r000t’s blag did some digging and their conclusions provide pretty damning evidence identifying the likely culprit.

Since the attack, EC-Council has kept a very low profile, InfoSec News has reached out several times to Founder Jay Bavisi for a comment, but the attempts have fallen on deaf ears. Now nearly three weeks later, the EC-Council finally commented on the attack.

InfoSec News asked Mark Bernheimer, Former CNN correspondent and founder of MediaWorks Resource Group, a media training and consulting firm, for his insight into what the EC-Council should be doing.

“If there’s even an appearance that a Web site has been hacked, particularly a security company’s site, the only way to manage the crisis is to address the issue candidly and immediately.”

“Once a website has been hacked, and user data potentially compromised, it is too late to change that reality. The company can only manage the crisis through a careful, responsive public relations strategy. Ignoring inquiries isn’t the ideal approach.”

“A data breach –or even the perception of a data breach– demands an immediate, proactive PR strategy on the part of the victimized company. Get all the bad news out immediately, rather than encouraging rumor and speculation. This is the approach Target undertook after it suffered its own breach late last year.”

Brian Klug via Compfight