An alarmingly large number, about 71 percent, of security professionals think their companies are “not equipped to protect itself against cyber attacks,” according to a study by Narus Inc., a firm which provides security and traffic management software solutions.

“Decision makers or security managers don’t believe they have adequate controls,” said Mike Lee, senior product marketing manager for Websense, an Internet security firm. “It’s a pretty common theme among most of the customers that we talk to. The fundamental reason for this is that a lot of companies have invested today in very basic security controls that protect against sort of very low level, static, known threats. By and large, the landscape has changed significantly and is much more complex than the sort of very static solutions they are prepared to deal with.”

According to the Narus survey, in the past two years 96 percent of security professionals have seen a growing sophistication in cyber attacks, and “many of the newer sophisticated attacks are non signature based or of the nature of advanced persistent.”

Lee explains that advanced persistent threats are very complex threats, often used by either a very well funded criminal organization or nation states, to go after specific organizations with custom designed attacks.

“These threats use multiple attack vectors, that very often target zero day vulnerabilities and that take place over a long period of time,” he added.

“Zero day vulnerabilities” are by definition not covered under existing anti-virus solutions. As most companies only rely on baseline protections like anti-viruses they fall victim to such attacks easily.

Another misplaced notion, which has hampered adoption of security controls by businesses, is the expectation that service providers should provide this protection.

Almost 74 percent of professionals feel this way due to “resource constraints” faced by their organizations and “scarcity of skill sets for security analysts,” according to the Narus survey.

However, Lee argues that a growing number of cyber threats are custom designed and there is no generic technology that a service provider can provide to protect an organization against such an attack.

“They are much better set up to provide baseline controls for mainstream threats,” he added.

The data breach at Epsilon, which exposed personal information of millions of customers, fits the description of an advanced persistent attack, according to Lee. Another example of a high profile cyber attack was the one against Sony, which compromised credit card numbers of customers and resulted in financial damages of more than $171 million.

But it’s not only big businesses that are at risk. FCC warns that small businesses are increasingly becoming targets of cyber attacks.

“American small businesses lose billions to cyber attacks annually and 74 percent of small and medium businesses report being affected by cyber attacks in the past 12 months. The average cost of these attacks for business, per incident, was $188,242,” according to a press release by the FCC.

During a conference organized by the FCC, Maurice Jones, CEO of Parkinson construction company, said cyber criminals stole $92 000 from his company accounts.

“This is a real problem for small business owners and unfortunately, I learned the hard way,” said Jones at the conference, according to the FCC press release. “But there are relatively simple strategies and steps that small business owners can take to protect their profits – and their customers.”

FCC released a cyber security tip sheet for small businesses that includes such basic protections as providing firewall security for your internet connection; installing, using and regularly updating antivirus and antispyware software; limiting employee access to data and information; and training employees in security principles.

However, Lee argues that businesses should also focus on more sophisticated protections.

Lee’s three-pronged solution for businesses revolves around “implementing solutions that don’t rely on known attack signatures”, “incorporating data and data protection as part of the attack prevention mix” and “getting various pieces of security infrastructure to work together.”

The WSJ article quoted an unnamed military official saying, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

Cyber attacks are of varying nature: ranging from phishing and hacking attempts to the use of malicious software. But most of these attacks fall under the category of cyber crime or cyber espionage. So what sort of a cyber attack would constitute an act of war?

“An act of cyber war could be considered one where an actor perpetrates a cyber attack against critical infrastructure systems or national assets in such a way that the effect of the attack causes physical harm, damage, or violence,” said Joseph Giordano, director of the cyber security program at Utica College, in an email. “Severe effects against the economy can also be considered an act of cyber war.”

Severe harm caused by an attack on the nation’s critical infrastructures like the electric power grid, the chemical sector, oil and gas, water supply and transportation, could trigger a military response, according to Giordano.

Under this strategy, the U.S. could use military force to retaliate against a foreign nation it believes has perpetuated a cyber war against it. This might seem like disproportionate use of force, but Catherine Lotrionte, adjunct professor of law at the Institute of International Law and Politics, Georgetown University, says it is justified under international laws.

“The right of self defense and use of force are not limited by what kind of weapon is used and it is not limited necessarily to kinetic vs. cyber,” said Lotrionte in a phone interview. “What it is often constrained by is the effects of the actual initiation of the use of force.”

This is known as equivalence in international laws. If a cyber attack causes similar amount of damage and loss of life as a physical attack would, then the right of self defense could be invoked and a military response undertaken, according to Lotrionte.

But one of the biggest challenges in justifying a military action against cyber attacks is the problem of “attribution.”

In such cases it is almost impossible to accurately determine where the attack originated from and who was behind it.

“In the realm of the Internet (cyber realm), you will fail miserably if you think that you can pinpoint an opponent via an IP address or even collection of addresses, a signature, a comment in an application and so forth,” wrote J. Oquendo, a security expert, in his blog.

Oquendo argues that an attacker can easily hide in cyber space.

“With millions of vulnerable machines worldwide, an attacker can launch an attack from anywhere with almost no attribution. This makes any analysis pretty much useless for the most part, wasted resources,” he wrote.

Giordano agrees, “smart and sophisticated hackers know how to easily obscure the origin of their attack even making it appear as if the attack is coming from a totally different point of origin.”

However, Catherine argues that, because of the difficulty with attribution, states should be able “to work under less than perfect certainty” on where the attack originated from and who is responsible.

“You might not know the original point, but you might know one of the intermediary points. So there is a state and you could track it back to this server which compromised our systems in a foreign nation, then you at least go to that point and hold that state responsible,” said Lotrionte.

Furthermore, she argues that even if the attacker is a non-state actor, the state is responsible for controlling its sovereign territories and could be held accountable.

“The norm of state responsibility will become very important in cyber,” she added.

But if sophisticated attackers can easily disguise traffic and make an attack look like it’s coming from multiple countries – how many unknowing countries will be held accountable for an act that could be perpetuated by non-state actors? And would this strategy lead to unjust wars and wasted resources? Possibly.

Sounds great but also risky! Concerns have been raised about data security in cloud computing. However, experts defend cloud computing, saying it is not riskier than network computing and businesses might even reduce security risks by using a cloud provider.

“I don’t think that inherently cloud computing represents any more risky application or data environment than for example on-premise applications and data,” said Mike Lee, a security analyst with Wensense an Internet security firm. “It’s a new environment that organizations need to think about a little bit differently and make sure that they are able to extend the same level of control in the cloud that they have on premise.”

So how does Cloud computing work? It is a type of Internet-based computing where services are provided to Internet users through an on-demand basis. Now we don’t need to have our own computers. We just need some sort of a down terminal and by subscribing to a cloud-based service we can get all the computational power we need and store all our data and applications in an off-site data center, according to Bhavani Thuraisingham, director of the Cyber Security Research Center at the University of Texas Dallas.

But with this new technology came new risks and challenges.

“There are a range of security issues associated with cloud computing,” said Thuraisingham. “Security in the physical networks just involves securing the network. But with the clouds there are more things you are doing than in a physical network. You are not only transferring data but also storing data and applications, so it requires more controls.”

According to a survey by Narus, a growing number of businesses are using cloud technology, because “it enables a more flexible approach for deploying and scaling applications, promising real cost savings and agility to customers.” However, a majority of the survey respondents, about 70 percent, were concerned about the security of the cloud.

Joel Friedman, CEO of SurveyWriter a web-based software service provider, said cloud computing has been a central model for his business.

“This model does have some inherent security risks over offering individual shrink wrapped software. But the benefits far out weigh the risks. This type of power was not available with traditional software running on individual desktop computers,” he added.

Dennis Hurst, a member of the Cloud Security Alliance, disagrees.

“I don’t think it’s more risky it depends on the service. There are some cloud providers that are more secure than any company I’ve ever worked with. There are other providers that are not. So it’s very specific to the provider you are using,” said Hurst.

He said the biggest mistake businesses make when signing up with a cloud provider is not assessing their security controls upfront.

“In cloud computing you are trusting an external vendor to provide a certain amount of security. And it may be that service, because of the way, it was designed can’t be secured properly to meet your governance requirements. That’s something you need to look into before you enter the relationship not afterward,” said Hurst.

According to Hurst, some cloud providers provide better security controls than an individual business could ensure on its own. In such a situation it would be less risky for that business to branch into cloud computing.

Thuraisingham, who is working on a joint project funded by the U.S. Air Force, said the cloud computing paradigm which came in late 2006, with Amazon opening its Elastic Compute Cloud service, has progressed tremendously.

Recently, Apple announced it will launch iCloud, a service that allows users to put all their personal data in a cloud and then synchronize it across all of their devices.

However, outage of the Amazon’s cloud-based Web services, in April, – which brought down web sites and services of many businesses for days – sparked debate about the riskiness of cloud computing.

Thuraisingham foresees newer and more sophisticated technologies coming into cloud computing and with that newer security challenges.

“I don’t think we will ever have a hundred percent secure cloud just like we will never have a hundred percent secure physical network,” she added.

However, she feels there is no going back. Cloud computing is the future and just like any other system continuous work needs to be done in order to ensure its security.

“Where there is lots and lots of data, which you have to analyze and sift through, then you can use data mining to uncover patterns,” said Bhavani Thuraisingham, director of the Cyber Security Research Center at the University of Texas, Dallas.

A new research shows that data mining could be used to track down large-scale criminal activities on the web.

Researchers from Indiana University at Bloomington and the Oak Ridge National Laboratory gathered data from various places and found several network providers that had very high concentrations of malicious activity. Eastern Europe and the Middle East are a few places where this pattern was extremely pronounced.

Data mining to identify malicious activity can “unearth networks harboring cyber criminals”, and it might be an easy and efficient way to hunt down cyber crooks. However, there is a problem with data mining – it is not hundred percent accurate.

Because data mining can give “false positives” and “false negatives” it has to be used with caution, according to Thuraisingham.

However, Thuraisingham feels data mining can play an effective role in malware detection.

“We can apply it to lots of applications in cyber security like auditing, accountability, intrusion detection,” she added.

Mike Lee, an analyst with Websense an Internet security firm, feels data mining is more of a “post threat tactic” rather than something that can prevent an attack in real time.

“So lets say you have fallen victim to an attack and you are trying to figure out what happened. That’s where logging of everything that happens on your network and then after the fact mining that data can play a very important role to understand what was the source of the attack, what data was affected, where did the data go,” said Lee.

Another issue with data mining in cyber space is potential loss of confidentiality, akin to a loss of privacy as a result of data mining in the real world.

“For data mining we have to gather a lot of information about all the processes in a machine to determine whether they are malicious or not. By monitoring all of these processes sometimes some good benign processes that are doing some highly confidential work will also be monitored and information about it gathered, which we shouldn’t be doing,” said Thuraisingham.

However she argues that data mining can play an increasingly important role in ensuring cyber security, as new capabilities are built into the existing data mining techniques.

Since anti-viruses and anti-malwares use known patterns or signatures to identify a virus or a malware as a threat, a new threat with an unknown pattern might go undetected. With newer data mining techniques the behavior of these threats could be analyzed, instead of just their patterns, in order to identify them as malicious.

Q- What do you see as the most pressing national security issues in the field of cybersecurity today?

Protecting the systems that are involved in our critical infrastructures is at the top of the list. Included in these systems are those that are involved in the financial sector, the power grid, and the oil and gas sector, amongst others. These systems are synonymous with our way of life and are essential to our economy and our national security posture. In addition, protecting the systems that are used in the military and in the Intelligence Community is of paramount importance.

Another area of importance for cybersecurity deals with coming up with ways to make sure that the cloud infrastructure is secure. The movement to the cloud model of computing comes with numerous cybersecurity challenges that need to be addressed. Addressing the cybersecurity issues associated with supply chains is a very important national security issue and is an enormous challenge.

Finally, we need to address the rash of data breaches that we continuously read about. Not only is valuable personal information being lost to these breaches but each data breach situation is costing millions of dollars.

Q- How vulnerable is the electric grid to cybersecurity threats?

The electric grid is one of the most critical infrastructures. Without power, the economy and the security of the nation will be adversely affected. From what one can read in the open source literature, the electric grid has been a target for some time. About two years ago there was an article in TIME magazine that reported that malware was found in the power grid. The other infrastructures have deep inter-dependencies based upon the power grid. A recent report by McAfee and the Center for Strategic and International Studies states that the power sector needs to do more in the area of cybersecurity.

Also, we need to make sure that cybersecurity is an integral part of the emerging Smart Grid. Cybersecurity for the Smart Grid (as with any system) needs to be thought about early and built into the system as early as possible. This is because it is a known fact that it is very difficult to address cybersecurity as an afterthought or to build security into a system after it has been built and fielded.

Q- How real is the threat of cyberwarfare?

There is no doubt that there is a threat out there and that the threat is very serious and very real. We face that threat every day of the week. From the standpoint of the countries that have capabilities to launch cyberattacks, they are very serious about it.

Q- Would you give an example?

Over the past few years North Korea has perpetrated cyberattacks against both South Korea and the United States. I think one of the most significant events that we have seen recently occurred during the 2008 conflict between Russia and Georgia. This conflict was an excellent worked example of what cyberwarfare techniques are capable of doing when combined with a physical attack. And most recently we have heard of Stuxnet and what it was capable of doing in the domain of industrial control systems. Stuxnet was an example of how cyber techniques can create effects in the physical world. I think that we have seen just the tip of the iceberg.

Q- What could be done to safeguard critical infrastructures against cyberattacks?

Make sure you have good security policies in place, bring in the best technology, use firewalls, and have intrusion detection and prevention systems in place. Proper use of encryption is critical. Use security technology properly and build good (assured) software that doesn’t have vulnerabilities and holes in it. And underneath all of this security education, training and awareness for users is a necessity, because a human is usually the weakest link in the chain. Finally, it goes without saying that we need more trained cybersecurity specialists.

Q- Do you think our state and local governments are prepared to combat cybersecurity threats?

I believe that all the states have some degree of preparation when it comes to defending against cyber attacks and for dealing with critical infrastructure protection and homeland security. It’s a matter of having the funds and having the expertise. As we all know, cybersecurity is a very complex problem and I think that the state governments are doing a great job getting their arms around the problem and putting together programs and initiatives to deal with the problem.

Q- Overall is there anything in the cybersecurity area that is not being looked at?

I would say more funding for research and development is needed, because R&D is where you are going to see those breakthroughs, and we need breakthroughs in the area of cybersecurity. In addition, much more needs to be done to educate users on what cybersecurity means and how to keep systems secure.

Social networking sites will be the focus of cybercriminals in 2011, according to the annual threat predictions report by McAfee, a computer security company.

A Facebook group warns users about scams prevalent on the social networking site.

“We are seeing a pretty big increase in the number of malicious type attacks using social networking as a medium to spread” said Patrik Runald, senior manager of security research at Websense, an Internet security research firm.

Most cyberthreats are seen on Facebook and Twitter, the two most popular social networking sites, according to Runald. Cybercriminals use social engineering on these sites to bait unsuspecting users. Facebook messages that appear to be from a friend might in fact be a cybercriminal tricking people into disclosing personal information or sending money.

Ezra Semble, a 20-year-old Northwestern University student, knows what it feels like to be duped on Facebook.

“Someone chatted with me on Facebook and said I can’t believe you have this video. I clicked on it and it was a random page, and out of nowhere everyone on my chat got a message from me for that video. Later, Facebook told me that someone had logged into my account from some weird location and reset my password,” he said.

Among the many social networking tricks and scams, “malicious links, phony friend requests and phishing attempts” have become the prevalent form of cybercrime, according to the report “A Good Decade for Cybercrime” by McAfee.

“Phishing is like a spam message. It’s some kind of an email or fake log in attempt,” explains Josiah Matlack, who works for an IT organization and studies computer science at Northwestern University.

“They will try to present a convincing log in screen, like the page on Facebook. The page isn’t owned by Facebook, it goes to some external server so when you log in they get your log in password. Since people use the same password across many different sites they can do a guess and check thing across different sites like gmail, PayPal, and eBay and get your information,” Matlack added.

Cybercriminals are becoming more adept at scamming people. In the U.S. cybercrime complaints increased more than 22 percent from 2008 to 2009 and the monetary loss due to cybercrime more than doubled from $265 million to $ 560 million, according to a report by the Internet Crime Complaint Center.

While advances in technology are helping these tech savvy crooks, another reason for the rise in cybercrime is the cybercriminals ability to understand and manipulate the users’ psychology.

“Cybercriminals are becoming more in tune with what the general public is passionate about from a technology perspective and using it to lure unsuspecting victims,” said Mike Gallagher, senior vice president and chief technology officer of Global Threat Intelligence for McAfee, in a statement.

Future attacks on social networking sites will become more and more personalized, as users continue to put a wealth of personal information online. These cyber attacks will range from large-scale financial scams and “serious real world crimes” to less severe hacking attempts, according to the McAfee report.

Cybercriminals can post tweets on hot topics that direct users to dangerous websites, which can steal the unsuspecting user’s credit card information. Foursquare and other location-based services can be tapped into by crooks to find out user’s current location and coupled with information about the user’s physical address this can lead to “serious real world crimes, like robbery.”

One very basic precaution users can take is to check whether the link a site is directing toward matches the real site’s link or not, according to Matlack.

“If it’s Facebook it should say facebook.com. If it doesn’t then it’s a phishing attempt,” he added.

Proponents of this bill believe it would secure critical infrastructure systems against catastrophic cyber attacks, but some information security experts argue the measure is short-sighted and unlikely to work.

Senator Joseph Lieberman (left) introduced Protecting Cyberspace as a National Asset Act of 2010 in June last year. (DoD photo by Mass Communication Specialist 1st Class Chad J. McNeeley/Creative Commons)

Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.) introduced the Protecting Cyberspace as a National Asset Act of 2010 in June last year. It immediately came under fire for giving the President an overreaching power to shut down the Internet and halt all communication.

But Leslie Phillips, spokeswoman for the Senate Homeland Security committee, said in an email that it is impossible to shut down the Internet completely, and “the legislation proposed contains nothing that would allow the federal government to do so.”

The emergency measures proposed in the legislation are directed only at critical infrastructure systems – “systems which if attacked or disrupted could cause mass casualties, evacuations, and economic damage,” according to Phillips.

“We are talking about the electric grid, energy supply lines, telecommunications, financial networks, water systems, etc,” she added.

According to Paul Rohmeyer, an information security expert, proponents of a controlled or limited shut-down measure, show a lack of understanding of how the Internet works and of its distributive nature.

Rohmeyer believes that the capability for “intelligent isolation”, or shutting down parts of the Internet without disrupting the whole system, might be developed in the future but does not exist today.

“If someone were today to make a proclamation to shut services to particular groups of companies, I’m not quite sure how we can actually do it simply because of the diversity in connection points and paths and the fact that these networks are largely global entities now, most organizations have multiple access points to the Internet ,” Rohmeyer said.

Bruce Schneier, another information security expert, commented in an article that building a selective shutdown capability would result in a huge “security vulnerability.”

“We would make the job of any would-be terrorist intent on bringing down the Internet much easier. Any actual shutdown would be far more likely to be a result of an unfortunate error or a malicious hacker than of a presidential order,” Schneier wrote.

Even if a workable Internet “Kill Switch” was developed in the future, the risks of shutting down parts of the Internet are too great.

In this day and age, the Internet has become an important “means of production for many industries” and shutting down parts of the Internet would result in massive economic losses to businesses, according to Rohmeyer.

“We are in an era of increasing globalization, by stopping communications at any point we will disrupt the ability for U.S. companies to serve the global markets and we will similarly disrupt global organizations from serving us,” he added.

But scenarios could be envisioned when public interests trump set-backs to private entities, and when security concerns far outweigh economic considerations.

In theory, an enemy state could use a malicious worm like the Stuxnet worm, which was used to disable Iranian nuclear reactors, and launch a cyber attack against U.S. nuclear facilities.

The threat of “cyber war is not science fiction,” in fact it’s an everyday occurrence, according to Philips.

However, Rohmeyer argues that these are “theorized cyber threats” and the legislation gives “ambiguous description of so-called catastrophic events.”

“This is a control in search of a risk,” Rohmeyer said. “I don’t believe, based on public information, that we as a nation have faced anything that would rise to the level of things being blunted or the impact decreased if such powers were in the hands of the federal government.”

The legislation, as it stands now, fails to provide a convincing argument for giving the President such overreaching power. Moreover, little consideration has been given to the workability of a kill switch and its potential risks.

Both Rohmeyer and Schneier stress the need for implementing alternative security measures to an Internet “Kill Switch.”

“I don’t think we should be viewing things in this sort of “on or off” switch mentality. Certainly we can identify alternative controls or response mechanisms to the identified threats other than shutting off service,” said Rohmeyer.

Schneier agrees. “Just implementing the capability would be very expensive; I would rather see that money going toward securing our nation’s critical infrastructure from attack,” he wrote.

This piece of draft legislation will also give DHS authority over networks with the .gov designation, which is similar to the authority exercised by the Defense Department over military networks, according to the report.

The bill would bring together legislative proposals by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), as well as Office of Management and Budget’s memo from July 2010.

The combined Lieberman, Collins and Carper proposals would establish a National Center for Cybersecurity and Communications within DHS.

Collins said the legislation would make DHS a strong partner in the process of securing agency networks, but the White House will be the central point for all cyber security across the government, according to the Federal News Radio report.

But is it necessary to expand DHS’s authority over civilian networks?

“I think that somebody needs to coordinate the government’s response, and I think DHS is the only person who can do it,” said Paul Rosenzweig, former deputy assistant secretary for policy in the Department of Homeland Security and a Carnegie visiting fellow with Medill’s national security journalism initiative.

“If you don’t do this, essentially all of our civilian agencies will remain very vulnerable and that’s not a good thing,” he added.

The National Center for Cybersecurity and Communications would use the resources of the DHS for day-to-day operations, according to the Federal News Radio report.

This raises another question: whether the DHS has the resources and the capability to maintain far-reaching oversight over civilian networks and government domains?

“Clearly if they get more authority they are going to need more budget as well, they are also going to need more staff,” said Rosenzweig. “I don’t think it’s a problem for them to have authority over the .gov domain in fact I think it is better that a civilian agency do that than any military agency.”

Michelle Richardson, legislative counsel for the American Civil Liberties Union, said the primary legislation drafted by Senator Lieberman and Collins gives the government too much authority.

The proposals by Senator Lieberman and Collins have been criticized for giving the President a “kill switch” that would shut down the Internet in an emergency.

Richardson hopes the final bill approved by the White House would be more “measured”. She also stressed the need to ensure civil liberties and privacy protection under the bill.

“There is nothing per se hairy about DHS getting involved with civilian cyber security efforts; the question is how they will do this,” said Richardson. “The goal is to minimize the government’s intrusion into everyday and innocent activities. We want them to focus on actual cyber security threats; we don’t want them to use their authority to collect information on people who aren’t doing anything wrong or to interfere with people’s access to the information or using the internet to communicate.”

Richardson will be keeping a close eye on the details of the draft legislation.

“We would be looking for a couple of things: one does it give the government any new authority to interfere with the internet and people’s communication; two does it allow the government to collect information on people using the internet; and three what is the use of the information it collects,” she said.

Though the details of the draft bill are sketchy right now, Rosenzweig hopes a comprehensive cyber security bill would “create a formal corporate structure public-private partnership, sort of like the American Red Cross.”

“We have been waiting with great anticipation for the White House to weigh in on the best way to protect the American people from catastrophic cyber attacks. If the White House is on the same path we’re on, the Senate should be able to approve comprehensive cyber security legislation this year,” Lieberman said in a statement to the Federal News Radio.