Cyberwar, Forensics, Security Management

Cyberthreats – Are You Ready?

Within the last week, there have been two articles on major news sources regarding the importance of Cybersecurity in the Information Age.   I’ll summarize them below. These articles demonstrate how everyone needs to have an awareness of cyber threats and the ways to handle them.  We’ve seen a good trend in that Cybersecurity is now (finally!) taking a priority for organizations. Whether it’s protecting from Cyberthreats or responding to Cyber incidents, Companies need a security plan of action. They can no longer hide from Cyber risks, but proactively address them.

ABC News – FBI Director Says Cyberthreat Will Surpass Threat From Terrorists (http://abcnews.go.com/blogs/politics/2012/01/fbi-director-says-cyberthreat-will-surpass-threat-from-terrorists/)

FBI Director Robert Mueller and National Intelligence Director James Clapper testified this week before the Senate Select Committee on Intelligence on Cyberthreats. The threat of economic fraud and espionage from state actors such as Russia and China is a real and growing concern. “We foresee a cyber-environment in which emerging technologies are developed and implemented before security responses can be put in place,” Clapper said. The article lists many of the complex computer breaches that highlight the wide array of threats the officials were testifying about.

 

 USA Today – Want CSI without the blood? Investigate computer forensics                                                                                    

The Television show CSI and its spin-offs has greatly enhanced the profile of forensics practices. Of course, it’s not as easy as it looks on TV. Computer forensics is a skilled discipline that takes years of practice to perfect to ensure all evidence is properly obtained and secured. Today, there’s a huge need as most investigations involve some aspect of information technology. 

This article in USA Today discusses the increasing prevalence of computer forensics in law enforcement and investigations. It quotes that “Bureau of Labor Statistics estimates computer forensics jobs are expected to grow more than 13 percent in the next several years.”  The growth isn’t limited to only computer forensics, but all aspects of Cybersecurity.  The National Security Agency has plans to hire 3,000 specialists to combat the thousands of cyberattacks every day in the United States, while the Department of Homeland Security is hiring about 1,000 more Cybersecurity specialists

These articles show that a new warfront is cyberspace. As a nation, individuals and organizations need to step up their cyber protections and be ready when cyber attacks occur.

We will discuss this and many other aspects of Cyberwar in our webinar / live debate on Wednesday, February 22nd.  See http://www.bellevue.edu/cyberwar/ for details and to register.

Online Safety Tips, Security Education

Staying off of the suspect list

Often, we’re our own worst enemy.  We do things that make us a likely target for blame.  In other words, we’re on the suspect list.  We receive the blame when something goes wrong because of our actions or the access we maintain.

The idea is to keep yourself and other off of that list.  First of all, it disrupts the investigation in finding the true source of the problem.  Second, it causes others to distrust those on the suspect list, even if their innocent.  The best way to prove innocence is to have a clear name from the onset.

Often security professionals and IT managers have access to many systems, applications, or facilities. They believe it’s required because of their position or responsibility.  The problem is that having access puts them on the suspect list.  Many times I’ve been accused when there were network issues.  “Were you running one of your security scans again?” was a common statement aimed at me just because I had the ability to run scans, not that I did.

Often other activities may add us to the “suspect list”, such as browsing the Internet, transferring documents from home to work and vice versa, clicking on links in email, or installing freeware or shareware applications on a work computer. While they’re not bad in and of themselves, these actions do have potentially dangerous consequences.

Here are five things you need to do to keep yourself off of the suspect list:

  • Limit your access.  This is the concept of least privilege.  If you don’t need it or don’t use it every day, disable or delete your access to it.
  • Only use administrator privileges when you administer the system.  If you’re always logged as an admin, then you’re just asking for trouble.
  • Freeware isn’t always free and shareware may mean your sharing more than the program.  Finding programs on the Internet may save money in the short run, but they occasionally contain hidden malware than can take down your system.
  • Think before you click.  Be aware of where you go on the Internet.
  • Keep your secrets secret.  If you allow others to use your login id or badge, then that person is you and you’ll be on the suspect list if something goes wrong. Badges and passwords are like gum, it’s not cool to share once used. 

Security’s objective is to keep people off of the suspect list.  We know that the great majority of our work force wants to do what’s right.  We want to help you.  Like the police, our objective isn’t to get you into trouble, but to keep you out of trouble.  Consider what you should do to keep yourself and others off the suspect list.  It will make your life much easier.

Security Management

Ten Years of Trustworthy Computing

I have to admit it, I’m proud of Microsoft.  After taking a beating for many years, Microsoft has gotten security right.  It’s embedded in their development lifecycle and their update strategy has become a de facto standard.  Many companies now provide regular patches and have made it easy for end users to ensure their applications are up-to-date.

Ten years ago on January 15, 2002, Bill Gates released a historical memo announcing the new strategy of “Trustworthy Computing.” This required security to be a priority and that secure practices be embedded throughout the development and maintenance of their products.  This started a history of openness for Microsoft on many security initiatives. You can view the history of Trustworthy Computing at http://www.microsoft.com/about/twc/en/us/history.aspx.

Even though they don’t share their source code, they do share many other things such as their Security Development Lifecycle.  This is the process for assuring that security is considered as an application is being developed.  Microsoft requires their developers follow this process and understand the concepts of developing secure products.  In my opinion, all development efforts should have this requirement, but it seems that it continues to be lacking.

Also part of the Trustworthy computing initiative started ten years ago is Microsoft’s update strategy. Initially, patches were released as they were ready. That caused problems for systems administrators, so Microsoft decided to roll out patches once a month on the second Tuesday.  That practice continues today.  To ensure there are no surprises, Microsoft even provides advanced notification a week before, which provides a high-level overview of what to expect.  The Microsoft Security Bulletins page (http://technet.microsoft.com/en-us/security/bulletin) shows current and past updates.

Microsoft, you’ve come a long way baby.  You are a leader who has taken their role seriously and provided many good products, resources, and references. You continue to live and breathe Trustworthy Computing.  I just hope you can keep it up.

References:

Online Safety Tips, Security Education, Security Management

2012 Webinar Announcement

2012 – The Year of Online Protection

2011 was the year of the breach.  2012 should be the year was get security right and start protecting ourselves, communities, organizations and families online.

To help kick-off the New Year, I’m hosting an online seminar titled, “Protecting yourself and your company from the evils of the internet in 2012.”  It is scheduled for Wednesday, January 25 1-2 p.m. CST and you can see it freely online, once you register.

From our Seminars and Outreach page:

Ron Woerner, Director of Bellevue University’s Master of Science in Cybersecurity program, will discuss the perils of the Internet, how hackers can take over your computer and how they access your private information. It’s not all doom and gloom, though. Woerner will suggest ways to protect yourself and your company in 2012. Come to this online presentation with your questions on online safety and security. You will have the opportunity to participate in a live question and answer session with Woerner following the presentation.

It’s going to be more than just your typical & basic keep yourself safe online talk.  I will be providing detailed tips, tricks, and techniques to keep 2012 from being another Year of The Breach. It will end with a chance for you to ask your questions about online protection to help you focus your security activities in 2012.

Please join in the conversation if you want to learn more about online safety, hear about our Cybersecurity programs, or are just looking for certification credits.

To learn more and register for the event, go here: http://www.bellevue.edu/cybersecurity/.

Concepts, Research

The Turning of a Year

HAPPY 2012 to All!

The end of one year and the start of another is a good time to both reflect and plan.  We should look back a little at what happened in the past year and use that to look ahead into the new one.  To paraphrase the famous quote by George Santayana, “Those who don’t learn from the past are doomed to repeat it.” 

In many ways, 2011 was a booming year for the Cybersecurity industry.  Many organizations realized the need for better security practices and tools.  Unfortunately, this was due to the multiple breaches.   According to the Privacy Rights Clearinghouse (PRC), there were 535 breaches during 2011, involving 30.4 million records containing sensitive information.   (See the full story here: https://www.privacyrights.org/top-data-breach-list-2011.)  Jim Lewis, a co-blogger on this site, posted a short list of major events from 2011 with his post Major cyber security events of 2011.  

My list is similar, but takes a different perspective:

  • Sony PlayStation Network (SPN) – Sony disclosed in April an external intrusion where the thieves stole millions of online IDs and passwords and gained access to account holders credit cards.  A concise history of the Sony hacks can be found here.
  • Epsilon, an email service provider for other companies reported the largest security breach ever with at least 60 million names and email addresses compromised.
  • The group Anonymous seemed to have their way on any system.  While they didn’t cause massive breaches, they did show how most organizations (like the BART subway system) are vulnerable to attack.  It forces the question, is anyone safe?
  • Sutter Physicians Services, HealthNet, & TriCare/SAIC.  I’ve combined these breaches of medical systems, although they each have their own story and lessons to be learned. These show how having lax policies for many years are now leading to breaches of sensitive medical information.  Despite the HIPAA security rules, our personal medical information continues to be vulnerable. For some it’s cheaper to risk paying fines than it is to secure the data.

As we move into 2012, we need to reflect on these breaches and their root causes. Here are some of my thoughts on their lessons learned:

  • Approximately 30% of users reuse passwords across Internet sites.  If a thief discovers one password (like at SPN), then it can be used at many others. We need to educate our users to have different passwords, especially for sites containing their sensitive information.  Better yet, we need to encourage the use of tokens or other forms of multi-factor authentication.
  • It may seem innocuous when our names and email addresses are disclosed, but that can open us up to spear phishing attacks. This is when a criminal directly focuses fraudulent email at us to try to deceive us into disclosing more personal information.  The end result is identity theft.  There are two things to remember: (1) protect your name and email and (2) be on the look-out for any type of phishing attack.  If you’re unsure about a text, tweet, or email, contact the sender offline (telephone if possible) to confirm the message.
  • Policies and laws are in place, but are not consistently followed.  There are often no repercussions for failure to follow the policies and procedures to protect our personal information.  Compliance and governance would solve this issue for many organizations and could help prevent future breaches.

In 2012, we’ll continue to see the move to anytime, anyplace computing as more people move to smartphones and tablets for their basic business. Data will continue to be pervasive as more people trust cloud services.  It provides great convenience, but at what cost?  Diligence will continue to be the key for both individuals and organizations. If you can develop and keep a security mindset, it may save you many headaches in both 2012 and years to come.

What do you think will happen in 2012?     

Have a happy, safe, and secure 2012.

Cyberwar, Security Assessments

Major cyber security events of 2011

I just read an article in the Financial Post (a Canadian paper) highlighting some of the major cyber security events of 2011.  Clearly these are not all the events and perhaps they are not even the most significant in some cases…but they serve to remind us of the pervasive and ubiquitous nature of the threats we face.  “Shields up, Mr. Spock.”

____________________________________________________________________________________________

http://business.financialpost.com/2011/12/28/major-cyber-security-events-of-2011/

  Dec 28, 2011 – 8:29 AM ET

Early January — Canadian Department of Finance/Treasury Board
Hackers believed to have been based in China breached the security of Canada’s two primary economic nerve centres, gaining access to classified data before they were discovered. The same hackers were also believed to be responsible for failed attempts made against the systems of several noted Bay Street law firms several months later.

Early February — Nasdaq Stock Exchange
America’s largest electronic stock exchange was revealed to have been repeatedly penetrated by computer hackers over 12 months. While the trading platform itself was never breached, subsequent investigations found relatively lax security allowed hackers to gain access to other Nasdaq systems.

February/March — Online dating and travel advice sites
Plenty of Fish and eHarmony, among the world’s two largest sources of people digitally searching for dates, had some of their user accounts exposed over a two-week period, allegedly by the same hacker. Weeks later, TripAdvisor, the world’s largest travel Website, had email addresses belonging to some of its 20 million-strong user base stolen.

April/May — Sony PlayStation Network
More than 100 million users of Sony Corp.’s online gaming platform had their accounts breached in what remains the most widespread cyber attack of the year. The potential cost to Sony has been estimated to range as high as US$24-billion.

Late May — Weapons producers
Lockheed Martin Corp., the world’s largest producer of military-grade weaponry, narrowly managed to thwart what it described as a “significant and tenacious” attack on its systems. Other major defence contractors such as General Dynamics Corp, Northrop Grumman Corp and Raytheon Co. were also targeted.

May 26 — U.S.-Stuxnet connection made
William Lynn, deputy Secretary of Defence of the United States, refused to deny U.S. involvement in the creation of the Stuxnet worm used against the Iranian nuclear program in 2010 during an interview on CNBC.

Early June — International Monetary Fund
A cyber attack described as “sophisticated” and “very major” by senior IMF officials struck the global economic stabilizer at some point over the last several months, the New York Times first reported on June 12. The Washington D.C.-based fund contains a treasure trove of highly sensitive economic data.

Early August — Operation Shady RAT exposed
McAfee Labs uncovered details of a coordinated five-year cyber warfare campaign against the networks of 72 organizations including the United Nations, governments and companies around the world. Dubbed ‘Operation Shady RAT’, the company called it the ‘biggest series of cyber attacks’ in history and many fingers pointed to China as the culprit.

Late October — “Nitro Attacks” revealed
Symantec Corp. released details on a series of attacks launched against “multiple” Fortune 100 companies involved in the industrial chemical production sector. A total of 48 companies around the world were believed to have been victimized by that single coordinated attack. The world’s largest maker of security software also revealed a survey finding controllers of critical infrastructure were growing complacent with their own security procedures.

Early November — Biggest cyber criminal takedown in history
Working with members of the Estonian police, the U.S. Federal Bureau of Investigation executed what has since become known as the rgest single takedown of a cybercrime syndicate in the history of the Internet, arresting the alleged ringleaders of a US$14-million cyber crime spree. Known as ‘Operation Ghost Click’, the victory was heralded as a sign law enforcement was finally beginning to overcome a key obstacle in digital crime investigations: Actually tracking down the perpetrators in the real world.

Mid-November — Canada commits nearly half-a-billion to cyber defence
Recognizing the growing digital threat, made clear and brought close to home by the attacks against two federal departments in early 2011, Ottawa earmarked $477-million for access to U.S. cyber defence capabilities. Known as Global Mercury, the new capabilities are expected to come into force before the start of 2012.

Security Education

Happy Holidays from the BU CCE!

Happy Holidays from the Bellevue University Center for Cybersecurity Education!

In this holiday season of giving, we are using online merchants more than ever.  They provide an easy and convenient way of finding that perfect present for your loved ones.  Of course, these merchants don’t take cash or check; you must use some type of credit.  To help protect your online financial identity, this blog post provides some simple tips to help you keep your online buying safe.

You can protect yourself online anytime of the year by doing a few very simple things:

  • The best thing you can do as a user is to stop and think about the websites you visit and the business you conduct online.   
  • Don’t click links assuming they are legitimate; always verify where they take you.  Remember, if it is too good to be true, it probably is!
  • Use unique passwords for your accounts.  Ask yourself if you could use those passwords at work.  If you can, those passwords may help provide at least some level of protection.  Change your passwords often and make them different.  These passwords are an attacker’s access to your accounts; protect the passwords as you would protect the keys and title to your car.
  • Check your credit report once a year for free at www.annualcreditreport.com.  Make sure there is nothing appearing that you don’t agree with or know about.
  • Use a credit card or payment service like Paypal.  That greatly limits your liability should your card number or payment be stolen.
  • Secure your personal data on your PC as you would your paper files.

By maintaining a little vigilance, you can save yourself many headaches.  Please help share the word about online safety.  Also, share your tips, so we can all learn.

We hope everyone has a safe and secure holiday season!

Human Aspects, Online Safety Tips, Security Education

Congratulations – You are a WINNER!

Everyone wants to be a winner. You may have seen the pop-up or big letters on a webpage announcing that you have won an iPad2, $1000, or some other grand prize.  All you need to do is “Click here to win your prize!”  It seems simple and harmless, but you should know where it is taking you, what you’re giving up, and what could be loaded on your computer. 

Users are taken to these sites when they mistype well known domain names such as wikipedia.com, amazon.com, and youtube.com.  (I’ll let you conduct your own research, but you can see a list here: http://www.bfk.de/bfk_dnslogger.html?query=69.6.27.100#result. They all resolve to the same IP address. I don’t want anyone accidently clicking on a link to a bad site.  Proceed at your own risk!)   

I’ve included a screenshot as an example:

Example of winning page

To “claim” your prize, you need to enter much of your personal information on a site whose origin is questionable.

Some of these websites even have their own form of privacy policies stating exactly what they’d do with your personal information.  Basically, once you give it to them, they can do with it as they please.

They can sell it, give it away, or use it without ever informing you or asking further permission.  They can even perform further background checks on you.  Since you agree to the policy when you click submit, there may be nothing you can do to stop them; especially if the site owners are in another country.

To avoid this type of fraud, it’s important to remember, “Stop. Think. Click.” from staysafeonline.org. The Protect Yourself website (http://www.staysafeonline.org/in-the-home/protect-yourself) contains a number of great tips to help all webizens. From that website, comes this: 

“Use your judgment about what you post about yourself on Internet sites. When any site requests information about you, ask these questions:

  • Who is asking?
  • What information are they asking for?
  • Why do they need it?

Think about the amount and detail of information being requested.”

Another good website on Identity Theft protection is from the U.S. Federal Trade Commission (FTC): http://www.ftc.gov/bcp/menus/consumer/data/idt.shtm.  What other websites do you recommend? 

Are there other tips you recommend to keep yourself and others safe and secure online?  Feel free to leave comments below. 

Be aware when you surf and remember to “Trust, but verify.”

Security Management

2011 USSTRATCOM Cyber and Space Symposium

USSTRATCOM has just released the symposium videos from the speaker and panel presentations.  If you missed the symposium, I encourage you to view some of the videos.  Video files and presentations from the featured speakers and panel sessions are available at http://www.afcea.org/events/stratcom/11/presentations.asp.

One panel that I found to be most enlightening (maybe because I have been saying some of the same things!), was the Cyber Industry panel.  It is all very good, but if you are in a hurry, listen to Scott Montgomery speak (minutes 44 to 48) on this clip: http://www.slideshare.net/afcea/stratcom-day2-session-12

What do you think?  How do we integrate/use/capitalize on all the newest concepts and still maintain sound security practices?

Security Education, Security Management

Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise

Fresh off the press:  The Department of Homeland Security (DHS) has published and released strategy guidelines for the enforcement of cybersecurity. It provides a road map for cybersecurity efforts while observing the need to preserve civil liberties, protect privacy, bolster national security, and provide the ability for the private sector to effectively operate and innovate in cyberspace. The full text of the Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise can be found here:

Source:  http://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf

I think it is a sound document that is probably worth taking the time to read, especially for cybersecurity professionals whether working in government or private sectors.   Let’s face it, we all share the same cyber “ecosystem.” 

One area in the blueprint caught my attention:

…10. Develop the Cyber Workforce in the Public and Private Sectors: Maintain a strong cadre of cybersecurity professionals to design, operate, and research cyber technologies, enabling success against current and future threats.

Core capabilities for the homeland security enterprise are:

Development of a rigorous cybersecurity and software assurance curriculum, and sustained enrollment in targeted fields of study. Relevant disciplines include science, technology, engineering, and math. The National Initiative for Cybersecurity Education (NICE) will strengthen formal cybersecurity education programs and use competitions to develop skill sets from kindergarten through 12th grade, and in higher education and vocational programs. Additionally, four-year colleges and graduate-level universities may apply to be designated as a National Center of Academic Excellence in Information Assurance Education.

There are two points I would like to highlight from this quote:

1.  The fact that you are reading this blog on the Center for Cybersecurity Education website means that you are making an effort to increase your knowledge on cybersecurity issues.  Good job!

2.  Bellevue University is very serious about developing the rigorous curriculum described above.  In fact, BU is in the process of applying to be designated as a National Center of Academic Excellence in Information Assurance Education.  We should know the results in the next few months.

 So, what are your thoughts about the blueprint? Is it relevant or useful?