UpGuard Blog

Almost Compliant With NERC CIPv5? CIPv6 is On Its Way

The NERC CIP v5 standards will be enforced beginning in July of this year, but version 6 is already on the horizon. Previously, we examined the differences between v3 and v5, and we saw how the CIPs related to cybersecurity were evolving. This pattern continues in v6, with changes coming to some of the cyber CIPs and the addition of standards regarding “transient cyber assets and removable media,” but the major changes in v6 have to do with scope-- which facilities are required to comply, and at what level they must comply: low, medium or high impact. We’ll examine some of the differences coming up in CIPv6 and what they will mean for the industry.

Read More

Topics: security, compliance, cybersecurity, NERC

Important Changes in NERC CIP Compliance Between v3 and v5

While it’s not certain that society would become a zombie apocalypse overnight if the power grids failed, it is hard to imagine how any aspect of everyday life would continue in the event of a vast, extended electrical outage. Part of what makes electrical infrastructure resilient against these types of events are the North American Electric Reliability Corporation (NERC) regulatory standards, especially the Critical Infrastructure Protection (CIP) standards, which provide detailed guidelines for both physical and cyber security. The CIP standards evolve along with the available technology and known threats, so they are versioned to provide structured documentation and protocols for companies to move from one iteration of the standards to the next. But the jump from version 3 to version 5 involves many new requirements, so we'll look at some of the differences between the two and what they mean for businesses in the industry.

Read More

Topics: security, configuration management, compliance, cybersecurity, NERC

Inside Salesforce.com's $20 Million Dollar Firmware Bug

Salesforce.com's recent day-long outage—what many tech journalists have been referring to as "Outage #NA14"—may actually end up costing the firm $20 million, according financial services firm D.A. Davidson's estimates. The untimely incident occurred just as the company was gearing up to report its Q1 earnings; luckily, $20 million is a drop in the bucket compared to $1.92 billion, Salesforce.com's best first quarter yet. This may be enough to pacify Wall Street analysts, but can the world's largest business SaaS provider sustain another outage of similar proportions or greater?

Read More

Topics: downtime, saleforce.com

11 Steps to Secure SQL

Whether you’re running Microsoft’s SQL Server (soon to run on Linux) or the open source MySQL, you need to lockdown your databases to keep your data private and secure. These 11 steps will guide you through some of the basic principles of database security and how to implement them. Combined with a hardened web server configuration, a secure database server will keep an application from becoming an entry point into your network and keep your data from ending up dumped on the internet. When provisioning a new SQL server, remember to factor security in from the get-go; it should be a part of your regular process, not something applied retroactively, as some key security measures require fundamental configuration changes for insecurely installed database servers and applications.

Read More

Topics: SQL, security, mysql, database

Microsoft May Have Just Stolen the Future from Apple

The Mac is undeniably the platform of choice for designers and artists, and for good reason. Apple's designers—and Steve Jobs in particular, according to legend—took special care to make even the first Macs superior to PCs in ways that would matter to those in visual fields. Font selections and type rendering on computers, as one example, were decidedly crude prior to the Macintosh. It's a minor detail for the number cruncher or spreadsheet user, but can mean everything to those in the arts. For that reason and others like it, Apple has enjoyed the unflinching endearment of a certain subset of users.

Read More

Topics: developer, unix, Windows, apple

ServiceNow Enhanced by UpGuard

Service Management systems like ServiceNow provide structure, process, and auditability for the work done by IT teams. The downside for any such system is that managing changes, incidents and problems adds overhead. Creating records and describing issues takes time, and the more you can automate these processes, the more valuable ServiceNow and your team become. That's exactly what UpGuard does for ServiceNow through its change validation and unauthorized change detection integrations.

Read More

Topics: ServiceNow, Integrations, ITSM

How to Build a Tough NGINX Server in 15 Steps

Arguably, in that people literally argue about it, there are two types of web servers: traditional servers like Apache and IIS, often backhandedly described as “full-featured,” and “lightweight” servers like Lighttp and nginx, stripped down for optimum memory footprint and performance. Lightweight web servers also tend to integrate better into the modern, containerized environments designed for scale and automation. Of these, nginx is a frontrunner, serving major websites like Netflix, Hulu and Pintrest. But just because nginx slams Apache in performance doesn’t mean it’s immune from the same security problems the old heavyweight endures. By following our 15 step checklist, you can take advantage of nginx’s speed and extensibility while still serving websites secured against the most common attacks.

Read More

Topics: nginx, cybersecurity

It's Like Updating OpenSSL All Over Again

A new high severity vulnerability in the OpenSSL protocol was announced today that could allow an attacker to cause memory corruption in devices handling SSL certificates. The vulnerability was caused by a combination of bugs, one a mishandling of negative zero integers, and the other a mishandling of large universal tags. When both bugs are present, an attacker can trigger corruption by causing an out-of-bounds memory write.

Read More

Topics: configuration testing, security, vulnerabilities, openSSL

Cybersecurity and the State

Last week the Australian government announced a new cybersecurity initiative that will cost upwards of AU$240 million and create 100 “highly specialized” jobs. This comes on the heels of Obama’s February announcement of the Cybersecurity National Action Plan, which hopes to establish a cybersecurity committee and create a 3.1 billion dollar “modernization fund.” With business and communications now done almost entirely online, it makes sense that governments are taking cybersecurity seriously, but what does it mean for the state to establish a cybersecurity presence and how will these initiatives ultimately play out? We’ll look at the details of both plans and how they align with their government’s cybersecurity actions, as well as their potential impact on citizens.

Read More

Topics: government, cybersecurity

The Email Security Checklist

You’ve hardened your servers, locked down your website and are ready to take on the internet. But all your hard work was in vain, because someone fell for a phishing email and wired money to a scammer, while another user inadvertently downloaded and installed malware from an email link that opened a backdoor into the network. Email is as important as the website when it comes to security. As a channel for social engineering, malware delivery and resource exploitation, a combination of best practices and user education should be enacted to reduce the risk of an email-related compromise. By following this 13 step checklist, you can make your email configuration resilient to the most common attacks and make sure it stays that way.

Read More

Topics: configuration testing, security, cyber risk

UpGuard Customers