News from around the Internet
Cyber Security in a World with Professional Attackers
Oct 11, 2012link
I'll be giving a talk at the Sacramento chapter of the Information Systems Security Association (ISSA) meeting Friday, October 19, link. Here is the abstract:
The cyber security market is a $70 billion market that is expected to grow to $120 billion in the next five years. Yet despite the size and maturity of this industry the cyber security market is in chaos today with attackers seemingly penetrating any organization they set their sites on. The reason for this chaos is the rise of professional attackers over the last several years. Simply put, they know how to bypass the most common security mechanisms and then operate in the shadows of an organization, sometimes for years. This talk will look at how easy it is for an attacker to penetrate an organization, operate undetected, and even cross your air gap to reach your most sensitive systems and data.
WHY IT MATTERS: Cybersecurity
Oct 11, 2012link link
The ideological divisions between Republicans and Democrats have grown so wide that the parties can't agree on how to confront a risk that they all acknowledge is real. At its core, the stalemate is a microcosm of the larger argument underpinning the presidential campaign: How involved should the federal government be in the economy and people's lives?
The fundamental issue is that critical elements of our national and economic security are owned and controlled by private companies. These private companies are not accountable to the voters and citizens of this country, and they may (and often do) put near-term profits ahead of long-term safety and security of their company, the services they offer, and the people of this country.
However, right now I agree with the Republicans on this debate.
Ten years ago (10!) the Federal government passed into law the Federal Information Security Management Act (FISMA) that requires government agencies and contractors that process Federal information to protect their computer systems and data. 10 years later it would be difficult to find any organization that truly complies with FISMA. Details of implementing it are still being hammered out.
Critically, the security landscape 10 years ago was very different than it is today. Highly mobile, always connected iPhones, iPads, and Android devices didn't exist. Cyber attacks were still largely the purview of individual, young, generally poorly trained hackers doing it for the thrill. Today's attackers are professionals, or more precisely, they are professional organizations. An entire economy now exists to support the professional attackers. Advanced Persistent Threats (APTs) and large-scale cyber espionage hadn't really emerged.
Given the track record of government mandated computer security – e.g., Computer Security Act of 1987 (anyone remember "C2 by '92"?) and FISMA 2002 – any government mandated computer security requirements passed into law today would probably not be implemented until 2022 at the earliest. Does anyone know what the computer security landscape will be in 2022?
My recommendation regarding any mandate is to let FISMA run its course. Let the government finish hammering out the details, roll out implementations throughout the government, and evaluate how effective the implementations are against modern, professional attackers. If they prove effective, FISMA compliant implementations can serve as shining exemplars for private industry to follow.
Cybercriminals plot massive banking Trojan attack
Oct 5, 2012link link
An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks, security firm RSA warned.
"This is the first time we are seeing a financially motivated cyber crime operation being orchestrated at this scale," Ahivia said. "We have seen DDoS attacks and hacking before. But we have never seen it being organized at this scale."
Cyber attacks are truly professional these days. The security strategies of five years ago no longer make sense.
Cyber Attacks on U.S. Banks Expose Vulnerabilities
Sep 28, 2012link link
The assault, which escalated this week, was the subject of closed-door White House meetings in the past few days, according to a private-security specialist who asked not to be identified because he's helping to trace the attacks.
"They had already declared they would hit these banks at these times, and still we are seeing that these banks are not able to handle these DDoS attacks," Mushtaq said. "It's clear that the current infrastructure under the control of these banks is not good enough."
Superficially these are just DDoS attacks. Nothing sophisticated (at least as reported). What makes these attacks interesting is their scale – 10 to 20 times more traffic than the typical DDoS attacks. Large institutions with great financial incentives to prevent DDoS attacks failed to prevent the disruption. This has gotten the attention of the White House.
It will be interesting to find out exactly what has changed to allow this increased traffic intensity. Is it that bigger computers with bigger pipes (e.g., servers instead of home PC computers) are being integrated into Botnets? There are companies that provide DDoS protection. Can they handle the new traffic levels, or will new strategies need to be developed? Will this mark a new chapter in cyber attacks?
Honeynet Global Visualization
Sep 2012link link
Eye candy for cyber security!! A real-time visual update of attacks from around the world, courtesy of The Honeynet Project.
I'm not sure if there is anything practical here for the security experts, but it is something you can put on your computer displays when you have visitors. For pedestrians, dynamic, visual information such as this can can be far more effective than statistics ever can be.
White House Wants Better Cybersecurity Tools, Cooperation And Education
Sep 26, 2012link link
Daniel also said the government has made progress in securing its networks. To help improve security at the agency level, the administration is launching the Einstein 3 Accelerated (E3A) program for civilian government organizations through the Department of Homeland Security. It is a detection system designed to sniff out more sophisticated network intrusions, allow real time or near-real time analysis by the U.S. Computer Emergency Readiness Team and inform administrators who and what is on the network, Daniel said.
Einstein 3 Accelerated (E3A)?? I wonder what makes it "Accelerated"? And there are a lot of commercial IDS products available. Does E3A compete with them? If so, perhaps a better way to promote cyber security innovation is to buy products from commercial vendors so they have the funds to to invest in new technologies.
I wonder if Einstein has improved since Richard Stiennon said "Einstein is a waste of money and a distraction"?
Cyber attacks grow increasingly reckless, official says
Sep 8, 2012link link
Plunkett, head of the NSA's Information Assurance Directorate, the agency's cyber-defense arm, told a university audience that "we're starting to see nation-state resources and expertise employed in what we would characterize as reckless and disruptive, destructive behaviors."
I wish Deborah Plunkett would give some explicit examples. The problem is that the most sophisticated attacks and one of the few that have proven destructive in real-space were purportedly by the US. This makes the accusation that others are being "reckless" seem a little hollow, especially to those outside the US.
In July, General Keith Alexander, head of the NSA, said during an interview at the Aspen Security Forum in Colorado, that the number of computer attacks from hackers, criminal gangs and foreign nations on American infrastructure had increased 17-fold from 2009 to 2011.
I wonder if that 17-fold increase reflects the number of people increasing or the existing attackers becoming much more productive?
Will U.S. Businesses Finally Get Some Cybersecurity?
Dec 16, 2011link link
"It's very targeted on solving one particular problem," says Chris Padilla, vice president of government programs at IBM, which has endorsed the bill. "How do you facilitate the sharing of information between business and government when there's an attack, and how do you shut the attack down?" Liability protection against errant lawsuits, he says, is a key part of that picture.
Then there are the cases we don't know about. An indication: Symantec sells network-security software to companies and updates that software to address new attacks it wants to protect customers against. Symantec sent out 20,254 updates in 2002. That rocketed to 113,081 in 2005. Last year—reflecting the escalating assault on U.S. companies—Symantec issued 10 million updates.
"If you think of the cyberdomain as these individual companies defending their companies, theirs is a perimeter defense," says Michael Hayden, former head of the CIA and the National Security Agency. "The NSA is way beyond the perimeter fence. We have a lot of talented players on the sidelines. This is our chance to get more of them in the game."
This article is basically a summary of the White House's recent strategic plan for federal cybersecurity, but what caught my eye were the statistics from Symantec and the quote from Michael Hayden. With the number of malware increasing so fast (Symantec is averaging 19 updates per second!) a more tractable approach may be to profile the attackers and look for attackers' profiles in meta-patterns in your network.
Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program
Dec 2011link link
A primary objective of the Federal cybersecurity R&D strategic plan is to express a vision for the research necessary to develop game-changing technologies that can neutralize the attacks on the cyber systems of today and lay the foundation for a scientific approach that better prepares the field to meet the chal- lenges of securing the cyber systems of tomorrow. As a strategic plan, this document provides guidance for Federal agencies, policymakers, researchers, budget analysts, and the public in determining how to direct limited resources into activities that have the greatest potential to generate the greatest impact.
Currently, a chasm exists between the research community, which focuses on exercising research components in demonstration environments, and the operations community, which acquires system prototypes containing research components and implements them in operational environments. Bridging that chasm, commonly referred to as the "valley of death," requires cooperative efforts and investments by both the R&D and operations communities, and may involve significant risk-taking on the part of the private sector as it shepherds research results through the commercialization process.
This is a typical government document which focuses on broad, non-controversial themes. For example, what organization wouldn't want to (1) induce change, (2) base their work on sound scientific principals, (3) maximize the impact of research, and (4) transition research results into practice as soon as possible? Perhaps, by explicitly pointing these out, however, the White House is implicitly stating to the community, "You suck at these things. Get your act together."
Still, the document is relatively short and to the point. Where things will get interesting is when dollars start flowing. The goals are great. The document used the phrase "game-changing" or "change the game" 13 times. It is the flow of money (funding of research, allocations for operations, and buying of products) that will actually affect change. Time will tell.
China-Based Hacking of 760 Companies Reflects an Undeclared Cyber Cold War
Dec 14, 2011link link
"They are stealing everything that isn't bolted down, and it's getting exponentially worse," said Representative Mike Rogers, a Michigan Republican who is chairman of the Permanent Select Committee on Intelligence.
An informal working group of private-sector cybersecurity experts and government investigators identified the victims by tracing information sent from hacked company networks to spy group-operated command-and-control servers, according to a person familiar with the process. In some cases, the targets aren't aware they were hacked.
John Alexandersen, a spokesman for the Lundtofte, Denmark-based Thrane & Thrane, said although he couldn't "rule out" that hackers breached their networks, no confidential data was taken.
Erik Fallis, a spokesman for the California State University Network, said that following an investigation, "no evidence was found to suggest that this event compromised CSU assets."
This is the pattern you see over and over. At some point someone detects a breach. Investigators follow the data to a remote server somewhere. Upon investigation of that server they find lots of evidence of other sites being penetrated. When investigators contact those sites, they claim they have no evidence of anything being taken.
Of course they don't have evidence because they don't have the ability to even know when their stuff is stolen. They need to turn on their audit trails in order to have some chance of having some visibility into what is actually happening on their computers.