Welcome to ISSA KC

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. Through its membership, ISSA -Kansas City helps security professionals in the Kansas City area learn of information security issues and trends, which promote education, collaboration, and leadership, and further the information security profession.

The Government Wants You—To Hack U.S. Election Systems

Posted by VP ISSA Wednesday, November 15, 2017



 Two U.S. senators have introduced bipartisan legislation aimed at protecting American election systems from foreign interference.

The Securing America’s Voting Equipment (SAVE) Act would help shield voting systems, registration data, and ballots from theft, manipulation, and malicious computer hackers.

And requires your help to “hack the election.”

Among various authorizations and mandates, the proposed bill includes the creation of a “Cooperative Hack the Election” contest: Participants work with vendors to uncover (and ultimately defend) threats to electronic voting systems.

The goal of the annual bug bounty program is to “strengthen electoral systems from outside interference”; discover the most significant vulnerabilities to earn an as-yet-unspecified award.

Hackers, however, may not “exploit” uncovered vulnerabilities or “publicly expose” them, according to the legislation.

“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders,” Sen. Martin Heinrich (D-N.M.), who co-wrote the bill with Sen. Susan Collins (R-Maine), said in a statement. “We must do everything we can to protect the security and integrity of our elections.” The move comes after reports that election-related networks, including websites, in 21 states were targeted by the Russian government during the 2016 campaign.

If enacted, the SAVE Act would invite developers, network specialists, security experts, cyber criminals, and anyone with average computer skills who lives in their parents’ basement to infiltrate nationwide systems.

It also facilitates information sharing, provides guidelines for best practices, and entitles states to additional funding to develop their own solutions to election threats.

The Department of Homeland Security in June confirmed that “a small number” of voting networks—including those in Arizona and Illinois—were successfully compromised last year. Reports also suggested that voter registration databases in 39 states were penetrated.

A “truly disturbing” reality that Collins said should “serve as a call to action to assist states in hardening their defenses against foreign adversaries that seek to compromise the integrity of our election process.” “Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable,” Heinrich added.
(Fortunately, this bill (S.2035) is being given only a 4% chance of actually becoming law.)
Title I calls for the Director of National Intelligence to sponsor a security clearance up to Top Secret for each eligible chief State election official and one designee of such official. In general, the chief State election official is the state’s Secretary of State. There is no mention of what happens if the designated officials either are not eligible for a security clearance or fails a required background check. Title II directs the Secretary of Homeland Security to designate voting systems used in the United States as “critical infrastructure”. The definition of “critical infrastructure” as used in this bill is:
42 U.S.C. §5195c(e)
(e) Critical infrastructure defined
In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
While the protection of voting systems is certainly important, I am not sure the designation as critical infrastructure is appropriate. Also, the designation of voting systems as critical infrastructure extends federal government control into an area traditionally left in State control. Title II also makes funds available in the form of grants for States to upgrade their voting systems, but those grants would be made available only to States that implement the best practices dictated by DHS. I don’t really have an issue with making funds available, but I think the States should be the ones to determine the best security practices for their own systems. Otherwise, there is too much potential for federal government overreach and mischief. (Just my opinion.)
Title III is the one that establishes the “Cooperative Hack the Election Program” and directs the DHS Secretary to develop the program which would include the creation of “an annual competition for hacking into State voting and voter registration systems during periods when such systems are not in use for elections”.
While I understand and accept the desire and need to discover vulnerabilities in computing systems, this is the type of activity that should never be done on live, production systems. It should only take place in controlled, test and development environments, designed to duplicate live environments.
Title III provides a safe harbor from prosecution under 18 U.S.C §1030, Fraud and related activity in connections with computers, for activities conducted that are associated with the program.
My feeling is that this is ill advised. Offering rewards to people for attempting to break into computer systems, especially live, production systems, even within certain constraints, is not a good idea. Nor is it a prudent use of taxpayer funds.  My personal opinion is that, if the States want to standardize security requirements and procedures for voting systems, it should be left to the National Association of Secretaries of State and the National Association of State Election Directors. They are responsible for the conduct of elections and can establish the standards, including the certification of vendors and equipment. If they want to consult with NIST, fine.  Authorize block grants to those association for that purpose if necessary and keep the federal government out of it (Joe Butin, CISSP, CIPP, e-mail message, November 9, 2017).


Experts Weigh Pros, Cons of FaceID Authentication in iPhone X


Security pros discuss Apple's decision to swap fingerprint scanning for facial recognition technology in the latest iPhone.

Apple demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the latest iPhone, which doesn't have a home button, to authenticate users so they can access apps and Apple Pay.

If you were apprehensive after the announcement, you're not alone. Apple isn't the first company to use facial recognition and others have been unsuccessful. Samsung's Face Unlock proved easy to hack when a user logged into one phone using a photo of himself on another; before that, Android's facial scanning tech could be similarly fooled.

Apple uses a different kind of technology, which it promises is more secure. The TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and infrared camera in addition to the built-in camera. The phone creates a 3D map of a user's face and dimensions of their features. Data is locally stored in the iPhone's secure enclave.

"FaceID uses AI in addition to the static biometric recognition techniques," says Zighra CEO Deepak Dutt. "The algorithms bring an adaptive piece into the picture which continuously learns. FaceID typically would have a learning phase where the engine would build a 3D model of the user's face from a large number of data points."

Apple claims its FaceID authentication is 20x more accurate than TouchID. Only one in 1,000,000 people would have a face similar enough to a user's to successfully bypass FaceID -- the same failure rate as a six-digit passcode. In comparison, there is a one in 50,000 chance a random user could log into an iPhone with TouchID using a fingerprint.

So is FaceID really more secure than TouchID, or a passcode?

One concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user's fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

This is not the case with FaceID, he says, though an attacker would need a 100% reproducible bypass using an easily obtainable picture of a user's face. Once the system is broken and can be bypassed using a photo, a victim would have to fall back on using strong and unique passcodes. For some, the old six-digit key login is preferred.

"Given that a passcode can be made strong enough to make brute-force attacks useless, they will still have the preference for some security conscious users," says Bruienne. "When combined with good security hygiene, a strong unique passcode (which iOS allows) can be more secure but less convenient."

That said, passcodes also have their downsides. They cannot be forcibly divulged but can be snooped or coerced from users. An attacker with your passcode can get into your iPhone.

FaceID requires a user's attention and can detect whether someone is correctly holding the phone and looking at it to authenticate. This may lessen the chance of "sneak auths" in which someone holds up a phone and attempts to capture a user's face from a distance.

However, if someone has your body under their control, they can force your finger onto a sensor or force your eye open for an iris scanner. What happens if an attacker tries to use FaceID on a sleeping target, or law enforcement wants to get into a suspect's phone?

"It's one thing to compel someone to unlock a device with their finger," says Bruienne. "It's another thing to just point the camera at their face - [it] will be interesting to see how this is managed."

HH Nov 9th 2017

Posted by NB Friday, October 27, 2017


Time for Happy Hour/Networking!

Please join ISSA chapter members and other security professionals for Networking Affair!
This networking affair/happy hour is held at La Bodega, Leawood, KS from 5:00 PM to 7:00 PM. This event is a great opportunity to become acquainted and interact with ISSA chapter members and other professionals. Come along and join ISSA chapter members and other security professionals for a lively happy hour!
Date:
Thursday, Nov 9th
Time: 5:00 PM to 7:00 PM
Location:
La Bodega
 4311 W 119th St Leawood, KS   

October 2017 Chapter Newsletter

Posted by Administrator Monday, October 16, 2017

The October edition of the ISSA newsletter is now available.

October 2017 Chapter Meeting

Posted by Administrator

On October 26, 2017 the ISSA-KC Chapter members, and other security professionals will hold a meeting at Brio's on the Country Club Plaza in Kansas City, MO, to network and attend the monthly chapter meeting, with presentation topic.

Speaker:  Kelly Lipprand, Zerto

Kelly Lipprand is a Systems Engineer for Zerto supporting Kansas, Missouri and Nebraska. He has worked in high-tech and IT for over 15 years. He has extensive experience in designing and deploying converged infrastructure for public. private and hybrid cloud as well as VMware and Microsoft operating systems and software. He holds current Cisco and VMware certifications. Kelly has also directed deployment of Data Center infrastructure and circuits for multiple regional locations. He has spoken publicly, nationally and internationally at large trade shows and film festivals on many different subjects. Kelly is a foodie and loves to travel. He currently resides in Kansas City with his wife. He can be reached at kelly.lipprand@zerto.com.

Topic:  Evolve Beyond Disaster Recovery to IT Resilience

IT resilience is achieved when a company is capable of responding to a disruption so quickly that end-users and customers are not aware that a disruption occurred. Organizations that embrace this concept, which is essentially a more proactive approach to BC/DR, focus on continuous availability rather than recovery after the fact. Automation and simplification of replication and recovery are part of resilience, and ensure that companies can prove the availability of their applications and data at any time. In this presentation learn how Zerto work towards a complete solution with no dependencies on hypervisors, hardware, or clouds in order to achieve IT Resilience.

Location:

BRIO Tuscan Grille, Country Club Plaza, 502 Nichols Rd, Kansas City, MO 64112

Agenda:
11:30 AM - 12:00 PM Greeting and registration
12:00 PM - 1:00 PM - Meeting & Presentation
1:00 PM - 1:30 PM - Questions, Answers & Networking

Menu:

Salad Choice of Chicken, Salmon or Pasta Soft drinks, Iced Tea, Coffee *Vegetarian option available, please note at registration at Brio * *Menu subject to change. **

Price:
$20.00 for ISSA Members,
$30.00 for Guests/Non-Members
Maximum Reservation: 35
Credit(s): 1 CPE credit

We look forward to seeing you at the event. If you have any questions about the event or how to register, please email our RSVP email, or contact the venue for directions.

Register Now!


September 2017 Chapter Newsletter

Posted by Administrator Monday, September 11, 2017

The September edition of the ISSA newsletter is now available.

September 2017 Chapter Meeting

Posted by Administrator Thursday, September 7, 2017

On September 28, 2017 the ISSA-KC Chapter members, and other security professionals will hold a meeting at Lidia’s Italy Restaurant in Kansas City, MO, to network and attend the monthly chapter meeting, with presentation topic.

Speaker:  Rich Perkins

Bio Highlights:

  • Executive Level IT Security Professional with 25+ years of experience in Information Technology, 12+ years focused on Information Security and Risk Management.
  • Co-Creator of the Wireless Aerial Surveillance Platform, an autonomous aircraft with onboard Wi-Fi, Bluetooth and Global System for Mobile Communications (GSM) penetration testing capabilities as featured on CNN’s “The Situation Room” and the November 2011 issue of Popular Science. Currently on exhibit at the International Spy Museum in Washington DC.
  • Served as the Data Loss Prevention subject matter expert, setting governance and policy as well providing technical expertise allowing full integration between Express Scripts and Medco networks.
  • Served as the Air Force voting member and subject matter expert on the Cross Domain Technical Advisory Board assessing risk of cross domain solutions for the entire Department of Defense (DoD).
  • Served as the Air Force voting member on the Technical Risk Rating panel certifying the technical risk of mission critical cross-domain technologies
  • Served as instructor and mentor leading the EADS NA DS3 companywide CISSP mentoring program from 2006-2010.
  • Created the patented Advanced Risk Management of Enterprise Security (ARMOES®) to enable automatic tracking/reporting of vulnerabilities within DODI 8500.2 compliant systems.
  • Served as the lead technical security engineer performing Certification and Accreditation Security Tests and Evaluations, ensuring secure systems were created and deployed on the Air Force and DoD Global Information Grid (GiG).

Topic: New Era in End Point Security

Taking a look at the current state of endpoint security, and how we need to change our way of thinking in order to get ahead of the attackers

Location: Lidia’s Italy Restaurant, 101 W. 22nd street, Kansas City, MO. 64108

Agenda:
11:30 AM - 12:00 PM Greeting and registration
12:00 PM - 1:00 PM - Meeting & Presentation
1:00 PM - 1:30 PM - Questions, Answers & Networking

Menu:
Pasta Tasting Trio - A sampling of three daily-made fresh and filled pastas.
Biscotti Platters - An assortment of house-made cookies & sweets to pass and share family style.

Soft drinks, Iced Tea, Coffee

*Vegetarian option available, please note at registration at Brio
* *Menu subject to change. **

Price:
$20.00 for ISSA Members,
$30.00 for Guests/Non-Members
Maximum Reservation: 35
Credit(s): 1 CPE credit

We look forward to seeing you at the event. If you have any questions about the event or how to register, please email our RSVP email, or contact the venue for directions.

Register Now!

Upcoming Events


Feb 22nd, 2018 - Chapter Meeting **** Register ***

Past events:
Jan 25th 2018 - Chapter Meeting
Dec 15th - FBI Briefing
Nov 9th Happy Hour
Oct 2017 Chapter Meeting

Join the ISSA Kansas City Chapter



Join our mailing list to stay current on ISSA Kansas City!




For more information on how to join the Kansas City Chapter of ISSA click here.
Join today!




ISSA Member Login Page ISSA
Login





ISSA’s Special Interest Groups (SIG) and Webinars:
SIG On-Demand Conf

SIG groups are:

Security Awareness

Women in Security

Healthcare

Financial

ISSA KC Mentorship Program * Applications

Mentor form/Application


Mentee form/Application


Social Media

Chapter meetings are a great way to get to know your peers here in KC. And, if you're currently looking to make a career change, it's an invaluable way to build relationships that can provide you with the "inside information" on open security positions. Check out our new LinkedIn© group that you can join to discuss topics, ask questions, or just meet other members. Look for the group "ISSA Kansas City Chapter" or click here.


Join our FaceBook page

https://www.facebook.com/kcissa/






Sponsors