Cyberwar

Cyberwar – Is it Happening Now?

I was all set to write this great piece on Cyberwar and how it’s a bunch of fear-mongering by those who don’t understand it, but Scot Terban beat me to it.  See his thought-provoking piece on InfosecIsland or his blog titled: Dr. Cyberlove… Or, how I learned to stop worrying and love CYBERWAR! (Here’s the link for those who are paranoid: http://krypt3ia.wordpress.com/2012/02/15/dr-cyberlove-or-how-i-learned-to-stop-worrying-and-love-cyberwar/).  It’s a great piece to get you thinking about Cyberwar and if we are indeed in one now. 

According to Sen Joseph Lieberman and Jay Rockefeller, we are on the brink of a cyber disaster.  They equate our cyber situation to 9/11.  Now I’m all for increasing focus on security, but not for the sake of FUD (Fear, Uncertainty, & Doubt). Selling fear never works in the long term.

Cyberwar is a sexy term that’s hotly debated.  Many take one side or the other as to whether or not we are at war over the wires (or wireless).  Can computers kill?  Are we in the land of The Terminator and Tron?  Are we on the brink of Cyber-Armageddon? Can people live without Twitter and Facebook? 

These questions and more will be addressed in the seminar / webinar / debate Dr. Matt Crosston and I are having next Wednesday starting at 1pm. If you live in the Omaha area, you can participate in the debate in person, in the Bellevue University Hitchcock Humanities Center’s Criss Auditorium. Presenters will be me, Ronald Woerner, Assistant Professor and Director of Cybersecurity Studies in the University’s College of Information Technology, and Dr. Matthew D. Crosston, Associate Professor, ISIS Program Director – International Security and Intelligence Studies Chair – Political Science.
Please visit http://www.bellevue.edu/cyberwar/ for more information and to register.

Just call me Dr. Cyberlove…

Physcial Security, Security Management

Incident Response – Know what to do when “it” hits

There are four primary responsibilities of security: Prevent, Deter, Detect, and Respond.  We often focus much of our efforts on prevention and detection and neglect deterrence and response.  In today’s post, I want to focus on the latter: how security professionals should respond to incidents and what they need to have in their “toolkit” to be ready when “it” hits the fan.

Be prepared” is the boy scout motto.  It should also be a motto for security.  We never really know when something bad will occur. It’s usually at the worst possible time (see Murphy’s Law and its corollaries). It’s crucial that security professionals are ready for it and know what to do when “it” hits.   The websites linked below provide great resources to help you be prepared for anything that comes your way.  It includes procedures, templates, and forms that you can use in your security program so you are ready.

Security should have plans and checklists ready to use when there’s an incident. This is for both physical and IT incidents. That way they don’t miss any critical element. I’ve also seen that checklists help in these situations to reduce the impact of any emotions that occur in high stress situations.

My second law of incident response is “Don’t Panic, ” which is also the first line in the Hitchhiker’s Guide to the Galaxy. It works for security as well.  It’s important to respond to problems rather than react.  Response is positive while reaction is negative and is often associated with panic.  We react without thinking leading to mistakes. If you are prepared, then your poised to respond in a positive manner.  Think even for a second before you act.  Use your resources and respond.

Albert Einstein sums it up best, ” You can never solve a problem on the level on which it was created.”

Please feel free to comment on your ideas and suggestions to improve incident response.

Human Aspects, Online Safety Tips, Security Education

Happy Safer Internet Day

Tuesday, February 7, 2012 is Safer Internet Day (SID).  It’s an international event organized to promote safer and more responsible use of online technology and mobile phones, especially amongst the younger generation. We have so many netizens who are unaware of the dangers in the new Internet age.  The only solution is constant and consistent education.

Some of the statistics provided  on the website are telling:

  • 26 per cent of children report having a public social networking profile.
  • Children of all ages are lacking digital skills –confidence is often not matched by skill!
  • 12 per cent of European 9-16 year olds say they have been bothered or upset by something on the internet…
  • …however, 56 per cent of parents whose child has received nasty or hurtful messages online are not aware of this.
  • One in eight parents don’t seem to mediate their children’s online activities…
  • …while 56 per cent of parents take positive steps such as suggesting to their children how to behave towards others online.
  • 44 per cent of children think that parental mediation limits what they do online, 11 per cent say it limits their activities a lot.

One aspect that I find fascinating is that this is a global problem.  Kids worldwide are encountering the same problems that we see here in the United States.  Wesites like SaferInternetDay.org and StaySafeOnline.org provide a large amount of useful information to help folks be secure online.  It’s all free and readily available for anyone who wants it.

It’s great to see a worldwide effort like this. I just wonder how we can better spread the word and educate not only our kids, but everyone.

Careers, Security Education

Bellevue University Cybersecurity Skill Valuation Survey

A request for your help:

I would like to ask you for your advice as we develop a new academic program in Cybersecurity.   Here at Bellevue University and the College of Information Technology, we periodically review whether our academic programs are meeting the expectations of students and employers.   As a leader in your business area, we value your views on the skills you would expect of an employee with a Bachelor of Science degree in Cybersecurity.  Conceptually, this would be an employee with a current (or future) role in your organization who would be responsible for various operational aspects of securing your information systems.  Below is a link to a short survey which will record your views about the skills you would expect of such a graduate / employee.    

http://www.surveymonkey.com/s/2SJF76Z

It will be most beneficial if you could complete the survey by Feb 14, 2012.  I sincerely appreciate you taking a few moments to complete the survey and provide us with your valuable advice on this matter as we strive to improve our programs for the benefit of both students and employers. 

We will publish a summary of the results of this survey after its completion.

Cyberwar, Forensics, Security Management

Cyberthreats – Are You Ready?

Within the last week, there have been two articles on major news sources regarding the importance of Cybersecurity in the Information Age.   I’ll summarize them below. These articles demonstrate how everyone needs to have an awareness of cyber threats and the ways to handle them.  We’ve seen a good trend in that Cybersecurity is now (finally!) taking a priority for organizations. Whether it’s protecting from Cyberthreats or responding to Cyber incidents, Companies need a security plan of action. They can no longer hide from Cyber risks, but proactively address them.

ABC News – FBI Director Says Cyberthreat Will Surpass Threat From Terrorists (http://abcnews.go.com/blogs/politics/2012/01/fbi-director-says-cyberthreat-will-surpass-threat-from-terrorists/)

FBI Director Robert Mueller and National Intelligence Director James Clapper testified this week before the Senate Select Committee on Intelligence on Cyberthreats. The threat of economic fraud and espionage from state actors such as Russia and China is a real and growing concern. “We foresee a cyber-environment in which emerging technologies are developed and implemented before security responses can be put in place,” Clapper said. The article lists many of the complex computer breaches that highlight the wide array of threats the officials were testifying about.

 

 USA Today – Want CSI without the blood? Investigate computer forensics                                                                                    

The Television show CSI and its spin-offs has greatly enhanced the profile of forensics practices. Of course, it’s not as easy as it looks on TV. Computer forensics is a skilled discipline that takes years of practice to perfect to ensure all evidence is properly obtained and secured. Today, there’s a huge need as most investigations involve some aspect of information technology. 

This article in USA Today discusses the increasing prevalence of computer forensics in law enforcement and investigations. It quotes that “Bureau of Labor Statistics estimates computer forensics jobs are expected to grow more than 13 percent in the next several years.”  The growth isn’t limited to only computer forensics, but all aspects of Cybersecurity.  The National Security Agency has plans to hire 3,000 specialists to combat the thousands of cyberattacks every day in the United States, while the Department of Homeland Security is hiring about 1,000 more Cybersecurity specialists

These articles show that a new warfront is cyberspace. As a nation, individuals and organizations need to step up their cyber protections and be ready when cyber attacks occur.

We will discuss this and many other aspects of Cyberwar in our webinar / live debate on Wednesday, February 22nd.  See http://www.bellevue.edu/cyberwar/ for details and to register.

Online Safety Tips, Security Education

Staying off of the suspect list

Often, we’re our own worst enemy.  We do things that make us a likely target for blame.  In other words, we’re on the suspect list.  We receive the blame when something goes wrong because of our actions or the access we maintain.

The idea is to keep yourself and other off of that list.  First of all, it disrupts the investigation in finding the true source of the problem.  Second, it causes others to distrust those on the suspect list, even if their innocent.  The best way to prove innocence is to have a clear name from the onset.

Often security professionals and IT managers have access to many systems, applications, or facilities. They believe it’s required because of their position or responsibility.  The problem is that having access puts them on the suspect list.  Many times I’ve been accused when there were network issues.  “Were you running one of your security scans again?” was a common statement aimed at me just because I had the ability to run scans, not that I did.

Often other activities may add us to the “suspect list”, such as browsing the Internet, transferring documents from home to work and vice versa, clicking on links in email, or installing freeware or shareware applications on a work computer. While they’re not bad in and of themselves, these actions do have potentially dangerous consequences.

Here are five things you need to do to keep yourself off of the suspect list:

  • Limit your access.  This is the concept of least privilege.  If you don’t need it or don’t use it every day, disable or delete your access to it.
  • Only use administrator privileges when you administer the system.  If you’re always logged as an admin, then you’re just asking for trouble.
  • Freeware isn’t always free and shareware may mean your sharing more than the program.  Finding programs on the Internet may save money in the short run, but they occasionally contain hidden malware than can take down your system.
  • Think before you click.  Be aware of where you go on the Internet.
  • Keep your secrets secret.  If you allow others to use your login id or badge, then that person is you and you’ll be on the suspect list if something goes wrong. Badges and passwords are like gum, it’s not cool to share once used. 

Security’s objective is to keep people off of the suspect list.  We know that the great majority of our work force wants to do what’s right.  We want to help you.  Like the police, our objective isn’t to get you into trouble, but to keep you out of trouble.  Consider what you should do to keep yourself and others off the suspect list.  It will make your life much easier.

Security Management

Ten Years of Trustworthy Computing

I have to admit it, I’m proud of Microsoft.  After taking a beating for many years, Microsoft has gotten security right.  It’s embedded in their development lifecycle and their update strategy has become a de facto standard.  Many companies now provide regular patches and have made it easy for end users to ensure their applications are up-to-date.

Ten years ago on January 15, 2002, Bill Gates released a historical memo announcing the new strategy of “Trustworthy Computing.” This required security to be a priority and that secure practices be embedded throughout the development and maintenance of their products.  This started a history of openness for Microsoft on many security initiatives. You can view the history of Trustworthy Computing at http://www.microsoft.com/about/twc/en/us/history.aspx.

Even though they don’t share their source code, they do share many other things such as their Security Development Lifecycle.  This is the process for assuring that security is considered as an application is being developed.  Microsoft requires their developers follow this process and understand the concepts of developing secure products.  In my opinion, all development efforts should have this requirement, but it seems that it continues to be lacking.

Also part of the Trustworthy computing initiative started ten years ago is Microsoft’s update strategy. Initially, patches were released as they were ready. That caused problems for systems administrators, so Microsoft decided to roll out patches once a month on the second Tuesday.  That practice continues today.  To ensure there are no surprises, Microsoft even provides advanced notification a week before, which provides a high-level overview of what to expect.  The Microsoft Security Bulletins page (http://technet.microsoft.com/en-us/security/bulletin) shows current and past updates.

Microsoft, you’ve come a long way baby.  You are a leader who has taken their role seriously and provided many good products, resources, and references. You continue to live and breathe Trustworthy Computing.  I just hope you can keep it up.

References:

Online Safety Tips, Security Education, Security Management

2012 Webinar Announcement

2012 – The Year of Online Protection

2011 was the year of the breach.  2012 should be the year was get security right and start protecting ourselves, communities, organizations and families online.

To help kick-off the New Year, I’m hosting an online seminar titled, “Protecting yourself and your company from the evils of the internet in 2012.”  It is scheduled for Wednesday, January 25 1-2 p.m. CST and you can see it freely online, once you register.

From our Seminars and Outreach page:

Ron Woerner, Director of Bellevue University’s Master of Science in Cybersecurity program, will discuss the perils of the Internet, how hackers can take over your computer and how they access your private information. It’s not all doom and gloom, though. Woerner will suggest ways to protect yourself and your company in 2012. Come to this online presentation with your questions on online safety and security. You will have the opportunity to participate in a live question and answer session with Woerner following the presentation.

It’s going to be more than just your typical & basic keep yourself safe online talk.  I will be providing detailed tips, tricks, and techniques to keep 2012 from being another Year of The Breach. It will end with a chance for you to ask your questions about online protection to help you focus your security activities in 2012.

Please join in the conversation if you want to learn more about online safety, hear about our Cybersecurity programs, or are just looking for certification credits.

To learn more and register for the event, go here: http://www.bellevue.edu/cybersecurity/.

Concepts, Research

The Turning of a Year

HAPPY 2012 to All!

The end of one year and the start of another is a good time to both reflect and plan.  We should look back a little at what happened in the past year and use that to look ahead into the new one.  To paraphrase the famous quote by George Santayana, “Those who don’t learn from the past are doomed to repeat it.” 

In many ways, 2011 was a booming year for the Cybersecurity industry.  Many organizations realized the need for better security practices and tools.  Unfortunately, this was due to the multiple breaches.   According to the Privacy Rights Clearinghouse (PRC), there were 535 breaches during 2011, involving 30.4 million records containing sensitive information.   (See the full story here: https://www.privacyrights.org/top-data-breach-list-2011.)  Jim Lewis, a co-blogger on this site, posted a short list of major events from 2011 with his post Major cyber security events of 2011.  

My list is similar, but takes a different perspective:

  • Sony PlayStation Network (SPN) – Sony disclosed in April an external intrusion where the thieves stole millions of online IDs and passwords and gained access to account holders credit cards.  A concise history of the Sony hacks can be found here.
  • Epsilon, an email service provider for other companies reported the largest security breach ever with at least 60 million names and email addresses compromised.
  • The group Anonymous seemed to have their way on any system.  While they didn’t cause massive breaches, they did show how most organizations (like the BART subway system) are vulnerable to attack.  It forces the question, is anyone safe?
  • Sutter Physicians Services, HealthNet, & TriCare/SAIC.  I’ve combined these breaches of medical systems, although they each have their own story and lessons to be learned. These show how having lax policies for many years are now leading to breaches of sensitive medical information.  Despite the HIPAA security rules, our personal medical information continues to be vulnerable. For some it’s cheaper to risk paying fines than it is to secure the data.

As we move into 2012, we need to reflect on these breaches and their root causes. Here are some of my thoughts on their lessons learned:

  • Approximately 30% of users reuse passwords across Internet sites.  If a thief discovers one password (like at SPN), then it can be used at many others. We need to educate our users to have different passwords, especially for sites containing their sensitive information.  Better yet, we need to encourage the use of tokens or other forms of multi-factor authentication.
  • It may seem innocuous when our names and email addresses are disclosed, but that can open us up to spear phishing attacks. This is when a criminal directly focuses fraudulent email at us to try to deceive us into disclosing more personal information.  The end result is identity theft.  There are two things to remember: (1) protect your name and email and (2) be on the look-out for any type of phishing attack.  If you’re unsure about a text, tweet, or email, contact the sender offline (telephone if possible) to confirm the message.
  • Policies and laws are in place, but are not consistently followed.  There are often no repercussions for failure to follow the policies and procedures to protect our personal information.  Compliance and governance would solve this issue for many organizations and could help prevent future breaches.

In 2012, we’ll continue to see the move to anytime, anyplace computing as more people move to smartphones and tablets for their basic business. Data will continue to be pervasive as more people trust cloud services.  It provides great convenience, but at what cost?  Diligence will continue to be the key for both individuals and organizations. If you can develop and keep a security mindset, it may save you many headaches in both 2012 and years to come.

What do you think will happen in 2012?     

Have a happy, safe, and secure 2012.