This quarter’s Shield newsletter focuses on one of the foundations of good cyber safety—
keeping systems current and patched.
Keeping Systems Current
How Can I Tell That My System Is Patched?
By Sam Adams - Cyber Security Administrator
One of the easiest ways to protect your computer
from malware is by simply having your computer
patched and up-to-date. Most operating systems
have processes in place to make sure this is done automatically and even tools that can identify any vulnerabilities in your system that may need to be
patched.
In the James Bond movie, Tomorrow Never Dies,
one of the villain’s henchmen reports that as
planned, their software will be sold to the public
full of bugs so the users will have to pay to upgrade in two years. In the real world, software
bugs aren’t added to increase revenue, they’re
present because little human mistakes in logic can
accumulate into big programming glitches that
allow the skilled attacker unintended access to
data or programs.
Software companies have moved from denying
problems exist with their applications to refining
their products before they reach the market. They
now react quickly to programming errors by releasing revised versions of the errant codes in
their programs so end users can patch them.
Bad Guys and Bugs
Since the beginning of computer programing,
some users for fun or malice have tried to find
ways to exploit buggy code to bend a program to
their wills. Today’s hackers exploit computer
bugs to make millions using data stolen from users’ bank accounts and credit cards. They can
carry out nationally-sponsored cyber-attacks
against critical infrastructure targets like power
generating plants or power transmission and distribution control systems. Cyber criminals even
Why should you care? The “bad guys” have come up
with increasingly more creative ways to attack and
exploit the vulnerabilities of your system. Coupling
that with an always-on Internet connection, your
computer has a greater chance of being infected.
With new security flaws in common applications being discovered every day, it is important to stay current with security updates designed to patch those
security holes.
If you are unsure of where to start, it is always a safe
bet to have Automatic Updates enabled. Automatic
Updates will automatically download and/or install
critical updates to your computer. In the Windows
Update site, you can also install less critical patches
that the Automatic Updates do not cover. You can
find these options by accessing the Control Panel
(Windows) or System Preferences (Mac) and clicking
the Security Center (Windows) and Software Update
(Mac).
There is a free tool offered by Microsoft, called Microsoft Baseline Security Analyzer (MSBA) that scans
your Windows operating system, identifies any vulnerability the system may have and provides solutions to correct them.
Continued on page 3
Keeping Systems Current—continued from page 1
sell each other ways to exploit program flaws on illicit web sites. Cyber criminals command top dollar
for flaws unknown to the software developers.
Malicious programming that takes advantage of these obscure flaws is called a zero-day attack, named
because software companies have zero days to prepare software patches to combat them. Zero-day attacks allow cyber criminals to install their software
for weeks or months before their attacks are detected
and patched. In response, some software companies
now offer bounties for turning in zero-day bugs, hoping to entice the software bug hunters away from the
dark side of coding these attacks.
Rather than rely on employees to install their own
patches, businesses have automated ways of receiving and installing patches to operating systems like
Microsoft Windows, Apple OS X, and Linux, and
major programs like Microsoft Office. These patches
are delivered at least once a month and distributed
via the corporate network. That way, any computers
connected to a business network will keep their software up-to-date with the latest patches.
Consequently, users should turn on seldom used
computers to ensure that these patches are installed.
The challenge for mobile computer users is to insure
that their laptops are back in the office often enough
to be patched so they aren’t attacked when outside
the company network.
Home users should also be aware of the general
monthly schedule followed by software vendors. Microsoft releases patches on the second Tuesday of
every month, via a service called Windows Update.
Apple OS X Macintoshes use a service called Software Update that can check weekly for patches.
Linux distributions all have the same kind of updating service. Other software vendors may announce
their patches via email, but no one ever distributes
software bug fixes via email, since it is so easy for
cyber crooks to disguise malicious software as a bug
fix.
MSRT is your friend
The Microsoft MSRT (Malicious Software Removal
Tool) is a monthly patch for Windows that removes
malicious software (malware). Introduced in 2005, the
MSRT has been highly successful in combating computer viruses and Trojan horses. It is available for all
currently supported versions of Windows.
While not intended to replace anti-virus products that
keep malware from infecting a PC, it does fill a gap in
detecting and removing some types of malicious software that Microsoft believes are widespread. If MSRT
detects malicious software it quietly removes it. The
next time someone logs into the computer as the computer administrator, a balloon notification will appear
to tell the computer administrator that malicious software has been removed.
Third Party Patches
Software manufactured by someone other than the operating system vendor is called “third party” software.
Examples of third party software include Adobe Reader, Adobe Flash, and various distributors of Java. Third
party products usually depend on either voluntary
patching where an update program tells a user a patch
is available. Users frequently ignore these updates.
A list of frequently exploited third-party programs as
compiled by the computer security company Secunia is
shown below. According to Secunia, the average PC
user in the USA has 73 programs installed with 28
from Microsoft and the remaining 45 from third party
vendors. Secunia has a list of the top ten vulnerable
programs, of which only one is part of Microsoft Windows.
Microsoft XML Core Services
Sun Java JRE 1.6.x/6.x
Adobe AIR 2.x
Apple QuickTime 7.x
Adobe AIR 3.x
Adobe Flash Player 11.x
Oracle Java JRE SE 1.7.x/7.x
Adobe Reader X 10.x
Adobe Shockwave Player 11.x
VLC Media Player 2.x
Check your PC to see if any of these are installed and
then patch them.
“How Can I Tell That My System Is Patched?”
Keeping Windows security software current
In addition to checking a variety of security software settings, the Windows Security Center application and the Windows Action Center can help
home users see if Windows Update is properly
working and that your computers antivirus software
is installed and updated. This includes the Microsoft Windows Defender, available with Windows 7 and Windows 8 default installations. The
Windows Security Center is present in Windows
XP SP2 and Windows Vista. Beginning with Windows 7, the Windows Security Center functions
were rolled into the Windows Action Center. By
default, these applications will present alerts on the
task bar when a problem is encountered.
Continued from page 1
The tools described above will check for patches associated with the operating system or programs
closely associated to the operating system. There
are other commonly used applications such as your
Internet browser (Google Chrome, Mozilla Firefox,
etc.), Java and Flash that could need patches, that
these tools would not cover. Typically, these applications will notify you of any updates but there are tools
out there that can manage all your applications in a single
pane.
Patching and updating your computer should not
take the place of an anti-virus program. They should
be used in tandem to increase the security of your
system. Get reputable malware protection from a
vendor you trust. If your PC came with an anti-virus
product, consider renewing the subscription when it
comes due. Or choose from a list of Microsoft partners who provide anti-malware software often for
Windows, Macs, and Linux PCs at microsoft.com/
windows/antivirus-partners.
Otherwise there are free alternatives for Windows,
Mac OS, and Linux. For example, Microsoft Security
Essentials offers free real-time protection against
malware. Sophos provides a free Mac OS AV product
called Sophos for the Mac, and the open source
ClamAV can be used for Linux PCs.
Windows Security Center
The most important rule to remember when keeping
your system up-to-date is to not ignore any notifications to patch your system. Patches typically deal
with vulnerabilities that are widely known and it is
best to take care of it as soon as possible. If you
want to learn about how to best secure your computer, there are numerous articles on the Internet
about this subject.
Sources:
Bradley, Tony. "How Can I Keep My Computer
Patched and Up To Date?" About.com Internet / Network Security. N.p., n.d. Web. 16 Sept. 2013.
Windows Action Center
Cyber Security—Our Shared Responsibility
Cyber Mobility—
Cyber Workforce—
Online Safety and Security
Training Next Generation Leaders
We all enjoy the benefits and convenience that
cyberspace provides us as we shop online from home,
bank online using our smart phones, or interact with
friends through social networks.
However, we need to remember that mobile
devices have unique security challenges. For one thing,
they are easy to misplace, potentially compromising
any unencrypted sensitive data or applications stored
on the device.
How can you protect your mobile device? Use
the same tactics you employ on your laptop, plus
“wireless protection.”
Restrict access to your home
wireless network, by only allowing authorized users access to your network.
When accessing the Internet
from a Wi-Fi hotspot, assume
there is no security at all,
meaning avoid unfamiliar
websites, and sites requiring
you to log in.
In 2013, you’d be hard pressed to find many people who are truly computer illiterate. Perhaps they can’t
program in special languages, but they interact with computers on their cable boxes, gaming systems, phones, in
cars, and even on many appliances in our homes. In fact,
teenagers starting college in 2013 have always known
flat screen televisions and have always been able to read
books on electronic screens.
Keep your security applications up-to-date.
Change any and all preconfigured passwords.
Keep the anti-virus software on your mobile device
updated.
Always use caution when downloading or clicking
on unknown links.
Download only trusted applications from reputable
sources or marketplaces
Make sure when you log in to any financial sites,
the URL reads "https://", which means the site
takes extra measures to help secure your information. Remember, "http://" is not secure.
That’s encouraging for the future of cyber security. Kids are growing up with computers and understand
security issues as one aspect in
their overall technology education.
If you feel like you need
help in knowing the basics or explaining the concepts to your children, visit the StaySafeOnline web
site. It contains age-appropriate
resources for understanding
cyber security.
For the post-secondary
learners, the Omaha area has
three institutions designated by the National Centers of
Academic Excellence in the study of Information Assurance. In Nebraska, the University of Nebraska at Omaha
and Bellevue University earned that designation. In Iowa,
Iowa State University owns that designation.
Finally, if you need help determining what kind of
training is available or needed for a cyber security position, the National Institute for Cybersecurity Careers and
Studies offers many resources designed with for professional cyber security administrators.
Everyone has to play a role in cyber security.
Constantly evolving cyber threats require the
engagement of the entire nation
— from government and law enforcement to the
private sector and most importantly,
from the public.
Cyber Security—Our Shared Responsibility
Cyber Crime
Critical Infrastructure
New Faces on an Old Problem
Cyber Protection
According to the Federal Communications Commission, theft of digital information has become the most commonly reported fraud, surpassing physical theft.
Mobile technology accounts for some of the increase
seen in reported fraud. As of 2011, global smartphone shipments exceeded personal computer shipments for the first
time in history. Along with more wireless access, more wireless
transactions are taking place. Their growing numbers make
users targets for traditional security risks (e.g. viruses, spam,
Trojans and worms) as well as sophisticated new forms of attacks.
Like any kind of mobile device, the use of third-party
and wireless networks and short-range networks like Bluetooth
introduce additional vulnerabilities that must be mitigated to
access the web safely. Wireless
connectivity (sometimes advertised as a Wi-Fi hotspot) allows
users to by-pass the secure
Trusted Internet Connection
(TIC) and connect directly to the
Internet and other untrusted
sources.
At OPPD, we take our responsibility to provide
electricity to our customers seriously, very seriously. We
know how expensive an outage can be for those without
power. As recently as 2013, OPPD’s Energy Plaza experienced a blackout along with many downtown Omaha
businesses. Energy Plaza employees and downtown workers were unable to work. We understand the cost to business.
Only connect to the Internet over secure, passwordprotected networks.
Do not click on links or pop
-ups, open attachments, or
respond to emails from
strangers.
Do not respond to online requests for Personally Identifiable Information (PII); most organizations – banks, universities, companies, etc. – do not ask for your personal
information over the Internet.
Password protect all devices that connect to the Internet
and user accounts.
Limit the amount of personal information you post. Do
not post information that would make you vulnerable,
such as your address or information about your schedule
or routine. If your friend posts information about you,
make sure the information is something that you are
comfortable sharing with strangers.
Take advantage of privacy and security settings. Use site
settings to limit the information you share with the general public online.
Be wary of strangers and cautious of potentially misleading or false information.
At most OPPD locations, employees are seeing
more and more regulations, requirements and training
involving cyber security. It’s
not the latest management
fad if that’s what you’re thinking. It’s the result of previous
security analyses of our nation’s entire infrastructure.
The 2013 outage resulted from an equipment
failure, not a security problem. It was accidental. It is
those outages caused by premeditated actions and intentional damage we need to improve our protection against.
As recently as March of this year the U.S. Director of National Intelligence called the cyber security attacks tops
on the list of threats facing the country.
According to a classified US Department of Homeland Security (DHS) report, Chinese-linked cyber espionage campaigns targeted 23 US natural gas pipeline operators between December 2011 and June 2012. The companies were targeted through spear phishing attacks.
OPPD employees play an instrumental role in the
cyber defense for our utility. It’s only a matter of time before some campaign is mounted against the national, regional or local electric grid. Following the prescribed security standards helps us keep our defense solid.
North American Electric Reliability Corporation (NERC)
Quarterly Update
OPPD’s NERC CIP Cyber Security Policy
CIP-003-3 R1
OPPD’s NERC CIP Cyber Security Policy represents OPPD’s commitment and ability to secure NERC CIP related assets and cyber assets. As required by NERC, OPPD’s NERC CIP Cyber Security identifies OPPD’s responsibilities pertaining to security and compliance
actions in relation to the following NERC CIP Requirements:
Cyber Security - Critical Cyber Asset Identification, CIP-002
Cyber Security – Security Management Controls, CIP-003
Cyber Security – Personnel and Training, CIP-004
Cyber Security – Electronic Security Perimeter(s), CIP-005
Cyber Security – Physical Security of Critical Cyber Assets, CIP-006
Cyber Security – Systems Security Management, CIP-007
Cyber Security – Incident Reporting and Response Planning, CIP-008
Cyber Security – Recovery Plans for Critical Cyber Assets, CIP-009
OPPD employees and contractors with authorized NERC CIP Access can locate a hard copy of the OPPD NERC CIP Cyber Security
Policy in or around NERC CIP Physical Security Perimeters. For OPPD employees, the OPPD NERC CIP Cyber Security Policy is located
on the Cyber Infrastructure webpage page of the OPPD intranet. Finally, all OPPD authorized personnel who have completed the
required annual NERC CIP Security Training are required view and adhere to all requirements identified within the OPPD NERC CIP
Cyber Security Policy.
OPPD’s NERC CIP Cyber Security Policy is annually reviewed and approved by OPPD’s Vice President of Energy Delivery and Chief
Compliance Officer, Mr. Mohamad I. Doghman.
OPPD’s Reliability Compliance Department recommends that all OPPD employees and OPPD contractors with authorized NERC CIP
Access be familiar with this policy and to reference the policy for any questions or concerns there may be relation to OPPD NERC
CIP assets and cyber assets.
References:
North American Electric Reliability Corporation (NERC) – Cyber Infrastructure Protection (CIP) Standards: http://www.nerc.com/
pa/Stand/Pages/CIPStandards.aspx
Midwest Reliability Organization: http://www.midwestreliability.org/
If you have any questions or require any additional information regarding this subject please
contact Michael Nickels – OPPD Reliability Compliance Specialist, manickels@oppd.com.