Tag Archives: cyber security

People are generally clueless when it comes to cybersecurity

WASHINGTON – The scariness of cyber attacks seems like something straight out of the Twilight Zone. Think about it: The world revolves around computers and personal information can be stolen with one click of a mouse. The problem is that most people do not think about cyber threats.

Dr. Marshini Chetty, an assistant professor of Human-Computer Interaction at the University of Maryland, said that people don’t tend to think about cybersecurity unless they are actually in the industry or in some situation where they have to be aware of security.

“We find that if they haven’t heard about it in some big news story or someone hasn’t informed them that there’s been like a big credit card breach or something like that,” Chetty said, “They aren’t really aware of security on a daily basis.”

Chetty said that the media plays a huge role to raise awareness about cybersecurity issues to the general public. “The more educated the public is, the better it is for everyone,” she said.

She noted that the U.S. government is taking great measures to educate people about their online safety. Her government-funded research, which focuses on evaluating people’s behaviors when it comes to completing software updates, is required to have a component that makes educational materials available to the public.

Antoinette Isama, a 23-year-old student from Silver Spring, Md., knows that security threats loom. “I definitely take it seriously, even in regards to online shopping. I don’t save my credit card information. I think it should be taken more serious because it’s easier and easier for someone to steal your information.”

Although individuals can take measures to protect themselves from hackers, there is only so much that can be done. “If you’ve entrusted your data to a third party….it’s up to them to make sure their systems are secure.” Chetty said. She warned of a possible cyber attack that could be targeted at the network system of a company that is not properly protected or equipped to handle a large-scale breach, which could possibly put millions of people’s personal data at risk of being stolen.

“Generally when people are not aware of privacy and security issues they can easily get themselves into trouble,” Chetty said, “Whether that’s sharing information that they didn’t intend to share or having machines that are not protected.”

According to Chetty, individuals can take steps to keep their personal information safe in cyberspace. Making sure personal machines are always up to date, securing passwords and not staying logged in to public computers are all measures that can be taken to protect against a cyber attack.

Isama said that worrying about cyber attacks is wasting time.

“I don’t [worry] because attempts are already happening. It’s a reality now. Now it’s about being preventative.”


U.S. preparing for cyber wars

WASHINGTON – As the U.S. military prepares its cyber rules of engagement, Congress wants to help identify computer-borne threats by making it legal for companies to share personal data that they collect with the government.

Cyber intrusions are distinct from cyber warfare, which has the larger purpose of crippling key physical or technological infrastructure. Cyber attacks waged as acts of aggression or war could infiltrate computer systems or technological infrastructure, crippling government entities or economies by attacking energy sources or transportation systems.

Cyber warfare could take on different forms. In a Wall Street Journal piece in April, two officials at the Foundation for Defense of Democracies in Washington D.C, wrote about how an “electronic curtain” in Iran allows the government to engage in electronic repression by controlling what kinds of information the public can send and receive over the Internet. This is just one example of how cyber warfare tactics have the potential to impact hundreds of thousands of citizens, succinctly and swiftly, without inflicting more traditional forms of violent aggression.

Congress has to balance protecting the nation’s infrastructure and citizens with the potential for violating personal rights and privacy in the proposed Cybersecurity Act of 2012. Congress’s aim is to help the U.S government investigate cyber threats and ensure the security of networks against attacks.

Meanwhile, the military is expected to release its rules of engagement for wars fought via the Internet. The rules will outline how the U.S. will define a cyber attack as an act of war or aggression against the state, and the appropriate response.

In addressing what a military response to cyber warfare could look like, the military is navigating uncharted territory. The rules will also define when the military can engage in defensive activities against online adversaries. Can U.S. forces “shoot’’ back with weapons when an attacker sends a massive computer virus or can troops only respond with a similar use of force? What if you can’t definitively identify the enemy? These are some of the complications of identifying and defending against vague threats online.

The potential outcomes and impacts of cyber warfare could look different than those seen in traditional warfare. Most citizens, save for the extraordinarily security conscious, leave a data footprint of their lives that, under the proposal, might be made available to the government for the purposes of identifying, preparing for and containing threats.

Citizen Watchdog organizations including the American Civil Liberties Union and The American Association of Practicing Psychiatrists said in a recent letter that the act would allow too much sharing of individual data, and the groups have proposed amendments to the bill that they say would help to protect civil liberties—things like giving customers effective legal recourse for violations of what little privacy protections the bill offers.

It seems inevitable that American citizens will lose some personal freedoms relating to rights to their e-information, the question is how much personal information does the government need to protect the nation from online warfare.


Businesses ill-prepared to combat cyber attacks

Reports of data breaches at big companies such as Sony and Epsilon are regularly in the headlines these days; it makes one wonder how just safe are businesses against the threat of cyber attacks?

An alarmingly large number, about 71 percent, of security professionals think their companies are “not equipped to protect itself against cyber attacks,” according to a study by Narus Inc., a firm which provides security and traffic management software solutions.

“Decision makers or security managers don’t believe they have adequate controls,” said Mike Lee, senior product marketing manager for Websense, an Internet security firm. “It’s a pretty common theme among most of the customers that we talk to. The fundamental reason for this is that a lot of companies have invested today in very basic security controls that protect against sort of very low level, static, known threats. By and large, the landscape has changed significantly and is much more complex than the sort of very static solutions they are prepared to deal with.”

According to the Narus survey, in the past two years 96 percent of security professionals have seen a growing sophistication in cyber attacks, and “many of the newer sophisticated attacks are non signature based or of the nature of advanced persistent.”

Lee explains that advanced persistent threats are very complex threats, often used by either a very well funded criminal organization or nation states, to go after specific organizations with custom designed attacks.

“These threats use multiple attack vectors, that very often target zero day vulnerabilities and that take place over a long period of time,” he added.

“Zero day vulnerabilities” are by definition not covered under existing anti-virus solutions. As most companies only rely on baseline protections like anti-viruses they fall victim to such attacks easily.

Another misplaced notion, which has hampered adoption of security controls by businesses, is the expectation that service providers should provide this protection.

Almost 74 percent of professionals feel this way due to “resource constraints” faced by their organizations and “scarcity of skill sets for security analysts,” according to the Narus survey.

However, Lee argues that a growing number of cyber threats are custom designed and there is no generic technology that a service provider can provide to protect an organization against such an attack.

“They are much better set up to provide baseline controls for mainstream threats,” he added.

The data breach at Epsilon, which exposed personal information of millions of customers, fits the description of an advanced persistent attack, according to Lee. Another example of a high profile cyber attack was the one against Sony, which compromised credit card numbers of customers and resulted in financial damages of more than $171 million.

But it’s not only big businesses that are at risk. FCC warns that small businesses are increasingly becoming targets of cyber attacks.

American small businesses lose billions to cyber attacks annually and 74 percent of small and medium businesses report being affected by cyber attacks in the past 12 months. The average cost of these attacks for business, per incident, was $188,242,” according to a press release by the FCC.

During a conference organized by the FCC, Maurice Jones, CEO of Parkinson construction company, said cyber criminals stole $92 000 from his company accounts.

“This is a real problem for small business owners and unfortunately, I learned the hard way,” said Jones at the conference, according to the FCC press release. “But there are relatively simple strategies and steps that small business owners can take to protect their profits – and their customers.”

FCC released a cyber security tip sheet for small businesses that includes such basic protections as providing firewall security for your internet connection; installing, using and regularly updating antivirus and antispyware software; limiting employee access to data and information; and training employees in security principles.

However, Lee argues that businesses should also focus on more sophisticated protections.

Lee’s three-pronged solution for businesses revolves around “implementing solutions that don’t rely on known attack signatures”, “incorporating data and data protection as part of the attack prevention mix” and “getting various pieces of security infrastructure to work together.”

War on “cyber terror”: The next battlefield

The Pentagon is drafting a formal strategy that will categorize certain cyber attacks as acts of war – -allowing the U.S. to use military force in retaliation to such attacks, according to a Wall Street Journal article. Security experts, however, argue that clear origins of a cyber attack are next to impossible to find.

The WSJ article quoted an unnamed military official saying, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

Cyber attacks are of varying nature: ranging from phishing and hacking attempts to the use of malicious software. But most of these attacks fall under the category of cyber crime or cyber espionage. So what sort of a cyber attack would constitute an act of war?

“An act of cyber war could be considered one where an actor perpetrates a cyber attack against critical infrastructure systems or national assets in such a way that the effect of the attack causes physical harm, damage, or violence,” said Joseph Giordano, director of the cyber security program at Utica College, in an email. “Severe effects against the economy can also be considered an act of cyber war.”

Severe harm caused by an attack on the nation’s critical infrastructures like the electric power grid, the chemical sector, oil and gas, water supply and transportation, could trigger a military response, according to Giordano.

Under this strategy, the U.S. could use military force to retaliate against a foreign nation it believes has perpetuated a cyber war against it. This might seem like disproportionate use of force, but Catherine Lotrionte, adjunct professor of law at the Institute of International Law and Politics, Georgetown University, says it is justified under international laws.

“The right of self defense and use of force are not limited by what kind of weapon is used and it is not limited necessarily to kinetic vs. cyber,” said Lotrionte in a phone interview. “What it is often constrained by is the effects of the actual initiation of the use of force.”

This is known as equivalence in international laws. If a cyber attack causes similar amount of damage and loss of life as a physical attack would, then the right of self defense could be invoked and a military response undertaken, according to Lotrionte.

But one of the biggest challenges in justifying a military action against cyber attacks is the problem of “attribution.”

In such cases it is almost impossible to accurately determine where the attack originated from and who was behind it.

“In the realm of the Internet (cyber realm), you will fail miserably if you think that you can pinpoint an opponent via an IP address or even collection of addresses, a signature, a comment in an application and so forth,” wrote J. Oquendo, a security expert, in his blog.

Oquendo argues that an attacker can easily hide in cyber space.

“With millions of vulnerable machines worldwide, an attacker can launch an attack from anywhere with almost no attribution. This makes any analysis pretty much useless for the most part, wasted resources,” he wrote.

Giordano agrees, “smart and sophisticated hackers know how to easily obscure the origin of their attack even making it appear as if the attack is coming from a totally different point of origin.”

However, Catherine argues that, because of the difficulty with attribution, states should be able “to work under less than perfect certainty” on where the attack originated from and who is responsible.

“You might not know the original point, but you might know one of the intermediary points. So there is a state and you could track it back to this server which compromised our systems in a foreign nation, then you at least go to that point and hold that state responsible,” said Lotrionte.

Furthermore, she argues that even if the attacker is a non-state actor, the state is responsible for controlling its sovereign territories and could be held accountable.

“The norm of state responsibility will become very important in cyber,” she added.

But if sophisticated attackers can easily disguise traffic and make an attack look like it’s coming from multiple countries – how many unknowing countries will be held accountable for an act that could be perpetuated by non-state actors? And would this strategy lead to unjust wars and wasted resources? Possibly.

How safe are the clouds?

Cloud computing is all the rage these days. It’s being hailed as a breakthrough technology that will revolutionize the IT landscape and the way we use the Internet: we won’t be restricted to one device or machine – all our data will be in off-site data centers and we can access it from just about anywhere.

Sounds great but also risky! Concerns have been raised about data security in cloud computing. However, experts defend cloud computing, saying it is not riskier than network computing and businesses might even reduce security risks by using a cloud provider.

“I don’t think that inherently cloud computing represents any more risky application or data environment than for example on-premise applications and data,” said Mike Lee, a security analyst with Wensense an Internet security firm. “It’s a new environment that organizations need to think about a little bit differently and make sure that they are able to extend the same level of control in the cloud that they have on premise.”

So how does Cloud computing work? It is a type of Internet-based computing where services are provided to Internet users through an on-demand basis. Now we don’t need to have our own computers. We just need some sort of a down terminal and by subscribing to a cloud-based service we can get all the computational power we need and store all our data and applications in an off-site data center, according to Bhavani Thuraisingham, director of the Cyber Security Research Center at the University of Texas Dallas.

But with this new technology came new risks and challenges.

“There are a range of security issues associated with cloud computing,” said Thuraisingham. “Security in the physical networks just involves securing the network. But with the clouds there are more things you are doing than in a physical network. You are not only transferring data but also storing data and applications, so it requires more controls.”

According to a survey by Narus, a growing number of businesses are using cloud technology, because “it enables a more flexible approach for deploying and scaling applications, promising real cost savings and agility to customers.” However, a majority of the survey respondents, about 70 percent, were concerned about the security of the cloud.

Joel Friedman, CEO of SurveyWriter a web-based software service provider, said cloud computing has been a central model for his business.

“This model does have some inherent security risks over offering individual shrink wrapped software. But the benefits far out weigh the risks. This type of power was not available with traditional software running on individual desktop computers,” he added.

Dennis Hurst, a member of the Cloud Security Alliance, disagrees.

“I don’t think it’s more risky it depends on the service. There are some cloud providers that are more secure than any company I’ve ever worked with. There are other providers that are not. So it’s very specific to the provider you are using,” said Hurst.

He said the biggest mistake businesses make when signing up with a cloud provider is not assessing their security controls upfront.

“In cloud computing you are trusting an external vendor to provide a certain amount of security. And it may be that service, because of the way, it was designed can’t be secured properly to meet your governance requirements. That’s something you need to look into before you enter the relationship not afterward,” said Hurst.

According to Hurst, some cloud providers provide better security controls than an individual business could ensure on its own. In such a situation it would be less risky for that business to branch into cloud computing.

Thuraisingham, who is working on a joint project funded by the U.S. Air Force, said the cloud computing paradigm which came in late 2006, with Amazon opening its Elastic Compute Cloud service, has progressed tremendously.

Recently, Apple announced it will launch iCloud, a service that allows users to put all their personal data in a cloud and then synchronize it across all of their devices.

However, outage of the Amazon’s cloud-based Web services, in April, – which brought down web sites and services of many businesses for days – sparked debate about the riskiness of cloud computing.

Thuraisingham foresees newer and more sophisticated technologies coming into cloud computing and with that newer security challenges.

“I don’t think we will ever have a hundred percent secure cloud just like we will never have a hundred percent secure physical network,” she added.

However, she feels there is no going back. Cloud computing is the future and just like any other system continuous work needs to be done in order to ensure its security.

Data Mining and Cyber Security

Data mining can be a useful tool in tracking down cyber gangs, but its usefulness in proactively guarding against cyber threats is doubtful.

“Where there is lots and lots of data, which you have to analyze and sift through, then you can use data mining to uncover patterns,” said Bhavani Thuraisingham, director of the Cyber Security Research Center at the University of Texas, Dallas.

A new research shows that data mining could be used to track down large-scale criminal activities on the web.

Researchers from Indiana University at Bloomington and the Oak Ridge National Laboratory gathered data from various places and found several network providers that had very high concentrations of malicious activity. Eastern Europe and the Middle East are a few places where this pattern was extremely pronounced.

Data mining to identify malicious activity can “unearth networks harboring cyber criminals”, and it might be an easy and efficient way to hunt down cyber crooks. However, there is a problem with data mining – it is not hundred percent accurate.

Because data mining can give “false positives” and “false negatives” it has to be used with caution, according to Thuraisingham.

However, Thuraisingham feels data mining can play an effective role in malware detection.

“We can apply it to lots of applications in cyber security like auditing, accountability, intrusion detection,” she added.

Mike Lee, an analyst with Websense an Internet security firm, feels data mining is more of a “post threat tactic” rather than something that can prevent an attack in real time.

“So lets say you have fallen victim to an attack and you are trying to figure out what happened. That’s where logging of everything that happens on your network and then after the fact mining that data can play a very important role to understand what was the source of the attack, what data was affected, where did the data go,” said Lee.

Another issue with data mining in cyber space is potential loss of confidentiality, akin to a loss of privacy as a result of data mining in the real world.

“For data mining we have to gather a lot of information about all the processes in a machine to determine whether they are malicious or not. By monitoring all of these processes sometimes some good benign processes that are doing some highly confidential work will also be monitored and information about it gathered, which we shouldn’t be doing,” said Thuraisingham.

However she argues that data mining can play an increasingly important role in ensuring cyber security, as new capabilities are built into the existing data mining techniques.

Since anti-viruses and anti-malwares use known patterns or signatures to identify a virus or a malware as a threat, a new threat with an unknown pattern might go undetected. With newer data mining techniques the behavior of these threats could be analyzed, instead of just their patterns, in order to identify them as malicious.

Social networking websites: the next cyber war zone?

WASHINGTON — The Government Accountability Office reported April 12 that federal agencies remain vulnerable to cyber attacks and security breaches because they’ve failed to take the required steps to secure Internet connections and computer systems. Experts say cyber attack could come from anywhere—an individual American or someone overseas, a terrorist group, or a country. But the number of ways a cyber attack could infiltrate American systems is growing—and the ever-expanding web of social networking sites could prove problematic for national cyber security.

Social networking technologies are creating potential new challenges for government transparency and security As more agency employees use Twitter, Facebook and similar external sites, officials at all levels of government are reviewing their policies.

Elayne Starkey, chief security officer of Delaware and FOIA coordinator for the state’s Department of Technology and Information, said her organization is cracking down on the problem from the inside.

“Websites like Facebook are blocked from our computers,” Starkey said. “It’s too great a risk and who or what actually gets that information is still quite unknown.”

Starkey said there is a long list of precautions that need to be taken at all levels of government and the private sector to prevent a cyber attack. She said she is working with other groups and agencies in Delaware to raise awareness and educate others on the “very real” dangers that a cyber attack could cause.

“We do a lot of trainings to drill and simulate with other state and federal employees on their IT resources,” said Starkey. “Using the right technical tools is important to have the top level of security we need.”

Among the many things that can help in thwart future cyber terror, Starkey said, would be new legislation. She said that the right legislation would take time though. “There is a gap that needs to be filled—but the proper legislation with the proper partners would need a multi-year window.”

“As more people move into the Web 2.0 phase, they become more comfortable with the websites like Facebook and Twitter,” Starkey said. “There is a false sense of security people have once they enter their password. They feel comfortable that they do things they might not have done elsewhere.”

Targeted ads are drawing more clicks by naïve social media users, increasing the potential for scammers and hackers.  “People are much more likely to click some ad that is tailored to them, and then who knows what is behind that ad.”

Starkey said viruses from social networking sites could work in a similar way that an e-mail virus works, sometimes immediately attacking user’s system­ at other times lurking for months before any damage is noticeable.

“That’s why at our offices, those sites are pretty much blocked,” she said.

Patrick Wells, a participant in the U.S. Cyber Challenge, a competition to find individuals who could be future cyber security practitioners and researchers, said he thinks it is unlikely that social networks will become a target of cyber terror is unlikely.

Wells said the information technology teams at the major social networking sites are more prepared than the government simply because they are individual sites, and as such only to worry about hardening their own target.

“Government websites are more interconnected, yet with different security systems and levels which allow for overlooked loopholes,” said Wells. “Sites like Facebook, although they have a huge amount of traffic, are more secure.”

Wells said Facebook, for one example, was a victim of cyber attacks through its applications, add-ons that could contain games, quizzes or other attractions. Applications are made by outside groups, and in the past anyone could create one. Wells said that was the most common way a hacker could hack through the website. “Now, Facebook has a stronger identification process for those creating applications to prevent that.”

For legal and tracking purposes, there is no sound way to currently archive communication done in social networking site, Starkey said. “The problem is that agencies don’t know how to archive the many forms of communications made on those popular websites.”

As citizens become increasingly accustomed to accessing more types of communication archives, Starkey says that social network archives will be a logical expectation.

Wells said that he doesn’t foresee social networking sites being a target of cyber terrorists, but more of a jumping off point. “Social networking sites are mainly used for information… as a tool to find an employee of a company, to get as much information about the person, and then hack into their system.”

Wells said the more security measures the better, but that social network users should be careful of every bit of information they list, not just inappropriate pictures.

New leader of FBI Cyber Division

The FBI has named a Gordon M. Snow as the new assistant director for its Cyber Division, responsible for protecting the U.S. against cyber-based attacks and other high-technology crimes.

According to a press release on the FBI website, Snow has well credentialed for his new position. He worked in Afghanistan as the FBI’s on-scene commander for counterterrorism in June of 2007 before joining the Cyber Division in January 2008. He was section chief of the cyber division, detailed to the Office of the Director of National Intelligence, National Counterintelligence Executive, where he and his staff led the effort in drafting the government-wide Comprehensive National Cyber Initiative. In January 2009, Snow was appointed chief  of the Cyber Division’s Cyber National Security Section and the director of the National Cyber Investigative Joint Task Force, and named deputy assistant director of the Cyber Division that November.

According to the FBI website, the Cyber Division is charged with four objectives:

  • To stop those behind the most serious computer intrusions and the spread of malicious code
  • To identify and thwart online sexual predators who use the Internet to meet and exploit children and to produce, possess, or share child pornography
  • To counteract operations that target U.S. intellectual property, endangering our national security and competitiveness
  • To dismantle national and transnational organized criminal enterprises engaging in Internet fraud

Further reading: FBI cyber investigations section, National Strategy to Secure Cyberspace (PDF).

Homeland Security Science and Technology Authorization Act of 2010

According to a New York Times article, the attacks against Google’s systems last December resulted in the theft of a password system that controls access to its applications and services for millions of users.

The system intrusion and theft raises concerns over the security of “cloud computing,” or using third party services such as Google to store and manage data from corporate email to spreadsheets and other documents. It also illustrates the growing threat of cyber attacks, which has not gone unnoticed by Congress. According to the Homeland Security Newswire, in the coming weeks Congress is holding a confirmation hearing on Army Lt. Gen. Keith Alexander, the new military cyber commander, and markup sessions on bills to fund cybersecurity research and development.

One of the bills, Homeland Security Science and Technology Authorization Act of 2010 (H.R. 4842), deals with funding research and development projects that address such issues as:

  • More secure versions of fundamental Internet protocols and architectures, including domain name systems and routing protocols
  • Technologies for detecting attacks or intrusions
  • Mitigation and recovery methodologies, including techniques to contain attacks and develop resilient networks and systems that degrade gracefully
  • Infrastructure and tools to support cybersecurity R&D efforts, including modeling, testbeds and data sets for assessment of new cybersecurity technologies
  • Technologies to reduce vulnerabilities in process control systems
  • Test, evaluate and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the software development lifecycle
  • Liability that subjects software and system vendors and system operators to potential damages for system breaches
  • Required reporting of security breaches that could threaten critical societal functions
  • Regulation that imposes under threat of civil penalty best practices on system operators of critical infrastructure
  • Certification from standards bodies about conformance to relevant cybersecurity standards that can be used as a marketplace differentiation
  • Accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted red team simulated attacks or exercises
  • Cybersecurity risk insurance

The complete bill can be found on the Library of Congress THOMAS website.