Category Archives: cybersecurity

Zero Day Exploits – time to pause internal development projects?

From the WP series on Zero Day:

In recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.

One came in 2009, targeting Google, Northrop Grumman, Dow Chemical and hundreds of other firms. Hackers from China took advantage of a flaw in Microsoft’s Internet Explorer browser and used it to penetrate the targeted computer systems. Over several months, the hackers siphoned off oceans of data, including the source code that runs Google’s systems.

Another attack last year took aim at cybersecurity giant RSA, which protects most of the Fortune 500 companies. That vulnerability involved Microsoft Excel, a spreadsheet program. The outcome was the same: A zero-day exploit enabled hackers to secretly infiltrate RSA’s computers and crack the security it sold. The firm had to pay $66 million in the following months to remediate client problems.

Makes one wonder how organizations are to develop their websites and applications and keep the secure.

Leave a comment

Filed under cybersecurity, Uncategorized

Unintentional Risk

Yep — the leading cause of cyber security breaches — per RSA study (tip to BBC):

The security vendor RSA revealed that the majority of breaches are actually caused unintentionally by employees.

Its survey showed that firms believed 52% of incidents were accidental and 19% were deliberate.

“Unintentional risk gets overlooked, yet it’s the most serious threat to business,” said the RSA’s Chris Young.

Leave a comment

Filed under cybersecurity

What did we learn in security school today? Sharing!

Imagine, sharing information to overcome a threat.  Post story notes increased cooperation between  military, private sectors.

“We shared with them the fact that we’ve got a very, very aggressive cyber threat,” said Robert Lentz, a Pentagon official who heads the partnership. The Pentagon soon will seek to amend defense acquisition rules to require cybersecurity standards for firms seeking contracts. “The sooner we all understand what’s required to protect the information in our networks, and we teach this in universities and in businesses, the better off we all will be, down to the Internet user at home,” Robert Lentz said. (a Pentagon official who heads the partnership)

Leave a comment

Filed under cybersecurity

Cyber Sec – Collaborative approach with some tought love

At least, that is the summary of this article from the BBC:

  • “We have seen some good initiatives from industry on improving the trustworthiness of software. What I am hoping to see from government with this new post is more involvement in standards and education efforts in security.” Benjamin Jun, Cryptology Research
  • “We need to have a new security paradigm in the future,We need to have a clear idea of what our society should be at the end of the decade so this problem is addressed adequately. We must use this crisis to make the right changes.”  Mark Cohn, VP Enterprise Security, Unisys
  • “The first order of business has to be to draw attention to the subject and then start working with all the agencies and organisations throughout industry and government. You have to be able to kick all these different groups in the seat of the pants to get them moving in the same direction.” Ken Silva, CTO – Verisign
  • “A key component will be co-operation and collaboration. There has been an ad hoc approach to this in law enforcement with perpetrators of a digital breach in one country while the act has happened in another.” Liesyl Franz  — Tech America

Leave a comment

Filed under cybersec organizations, cybersecurity

Weaponization of the Internet

Guess when this was written?

We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable—to the effects of poor design and insufficient quality control, to accident, and perhaps more alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.

Answer

Leave a comment

Filed under cybersecurity

Using Education to expand broadband

Seems Internet2, EduCause, and a bunch of other folks want to be the driver (as this whitepaper says)  for the ARRA Broadband initiative:

The potential for America’s future is limitless if we support the unique innovative strengths of our colleges and universities, working with other public and private sector partners to expand access to and breadth of broadband services for all of America. The robust advanced network infrastructure put into place by the research and education community and its partners is ready to
serve as the foundation and springboard for the nation’s broadband strategy under the ARRA.  We have a cohesive and comprehensive plan and the engine is ready. All that is needed is the
fuel to drive it. Our institutions of higher education are the right core engine to launch the ARRA broadband strategy.

Check out this paper on Cybersecurity

Leave a comment

Filed under cybersec organizations, cybersecurity

Hathaway gives away little in remarks to RSA

In her remarks, she made lots of references to Mission Impossible (e.g. this message will self destruct).  But the only real substance is contained here:

  • It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential
    of the information technology revolution.
  • no single agency has a broad enough perspective to match the sweep of the challenges
  • requires leading from the top — from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library
  • We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action
  • There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations
  • Government and industry leaders, both here and abroad, need to delineate roles and responsibilities, balance capabilities, and take ownership of the problem to develop holistic solutions
  • Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure.

and here:

  • Can we call for changes in widely shared norms?
  • Are we ready to talk openly about the challenges we face and how we share the
    responsibility for reversing the trend?
  • Can we create the conditions where innovation and security are mutually reinforcing and
    treat them as an integrated and synergistic whole?
  • Can government and the private sector, national and international parties, accelerate the
    changes we need?
  • And, if not us, then who?
  • If not now, then when?

Leave a comment

Filed under cybersec organizations, cybersecurity

Cybersec – paying attention

From CNET (Stephanie Condon).   Sen. Jay Rockefeller says:

“I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity.

So, according to Ms. Condon’s report, Sens. Rockefeller and Snow are drafting legislation to create the Office of the National Cybersecurity Advisor with omnipotent powers to disconnect any piece of critical networks which threaten US security.

Leave a comment

Filed under cybersecurity, policy tools

Credit Card Vendors policing cybersec

PIC agreements as a tool to secure cyberspace… at least it’s a private sector approach to a market problem.  SecurityFix notes:

According to a message posted at TrafficConverter2.biz and its sister sites, the program’s credit card payment processor pulled the plug on them shortly after our story ran.

Leave a comment

Filed under cybersecurity, policy tools

Who can do security – A problem of collaboration?

CNET’s Declan McCullagh summarizes the discussion of who should be managing cybersecurity (a good article).

Part of official Washington’s dissatisfaction with DHS involves disagreements with not just who should handle cybersecurity topics, but what should be done. Security hawks would like the government to have the authority to order around the private sector. Defense hawks would like more focus on offensive “cyberattacks.” Privacy advocates worry about Homeland Security’s expansive mission, and remember how the NSA and FBI fought for many years to restrict domestic use of encryption.

James Lewis of the Center for Strategic and International Studies said:

Our report concluded that the market would never deliver adequate security and the government must establish regulatory thresholds for critical infrastructure. We proposed a new, more flexible approach to developing regulation that was based on close cooperation with industry in developing standards and an avoidance of prescriptive regulations that spell out in precise detail what companies must do.

Amit Yoran of Netwitness Corporation testified:

In Rod Beckstrom’s resignation letter last week, he states, “NSA effectively controls DHS cyber efforts thru detailees, technology insertion and the proposed move of NPPD and the NCSC to a Ft Meade NSA facility. NSA currently dominates most national cyber efforts…The intelligence culture is very different than a network operations or security culture. In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.” This could not have been more accurately stated. We must enable civil government to succeed at this mission.

In reference to tools required to better work with private sector partners, she notes:

A deeper understanding of cyber defense and security operations in the private sector is required by those crafting the evolution of these programs or future programs so that adequate incentives can be appropriately incorporated into these programs. Such incentives might include tax consequences, fines, liability levers, public recognition, or even at an operational level, such as the sharing of threat intelligence, technical knowledge or incident response support to name just a few.

Mary Ann Davidson, CSO of Oracle summed:

In the same way our nation’s electrical grid, pipelines, roads and railways support our military but are not run by our military, our critical cyber infrastructures and the companies who create
them cannot simply fall under military control. Of course our government should defend
our cyber interests, but in the same way we would abhor a military presence at every
intersection, we must also ensure civilian control over the normal operation of our digital
highways.

David Powner of the Government Accountability Office offered the following recommendations:

Key Strategy Improvements Identified by Cybersecurity Experts
1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading and overseeing national
cybersecurity policy.
3. Establish a governance structure for strategy implementation.
4. Publicize and raise awareness about the seriousness of the cybersecurity problem.
5. Create an accountable, operational cybersecurity organization.
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing
vulnerabilities than on developing additional plans.
7. Bolster public/private partnerships through an improved value proposition and use of
incentives.
8. Focus greater attention on addressing the global aspects of cyberspace.
9. Improve law enforcement efforts to address malicious activities in cyberspace.
10. Place greater emphasis on cybersecurity research and development, including consideration of
how to better coordinate government and private sector efforts.
11. Increase the cadre of cybersecurity professionals.
12. Make the federal government a model for cybersecurity, including using its acquisition function
to enhance cybersecurity aspects of products and services.

Scott Charney, VP Microsoft’s Trustworthy Computing, spoke of the “imperative to radically evolve and elevate the
public private partnership model;  the need for an identity metasystem that makes the Internet
dramatically more secure while protecting important social values such as privacy and free
speech; and the necessity for a new regulatory model that protects innovation while providing
appropriate government oversight.”   He summarizes a history of public-private partnerships constructed to manage cybersecurity problems:

Since the 1990s, well-intended public private partnerships have been created to address this
need, yielding a perplexing array of advisory groups with overlapping missions, different
stakeholders with varying capabilities, insufficiently articulated roles and responsibilities, and
plans with literally hundreds upon hundreds of recommendations. In the few instances where
groups overcame institutional adversities and developed meaningful recommendations, the
repeated unwillingness or inability to implement those recommendations at the Federal level has
damaged the partnership significantly. Absent a comprehensive national strategy and clear
purpose, both government and private sector stakeholders will continue to struggle to be
effective.

Leave a comment

Filed under cybersecurity