Posts Tagged ‘cybersecurity’

The SANS Institute has just released the results of a comprehensive study on the topic of cyber security risks. The study is based upon prevention systems in 6,000 organizations and vulnerability data from 9 million systems. The study indicates that there are two major risks out there to organizations, both of which could be mitigated.

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

According to the Cisco 2009 Midyear Security Report, internet criminals are becoming more sophisticated, using increasingly targeted attacks. However, Cisco predicts that increased collaboration between organizations, like what we saw with Conficker, and new security policies may make it more difficult for attacks to infiltrate and spread.

The Midyear Security Report provides an overview of Cisco security intelligence, including information about new threats and trends, for the first half of 2009. Highlights from the Report:

• Criminals are exploiting traditional vulnerabilities because they believe security experts and users are paying little attention to these types of threats.
• Compromising legitimate websites to propagate malware remains a highly effective technique
• Web 2.0 applications have become lures for criminals
• Criminals are now targeting online banking customers using well-designed, localized text message scams
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are following suit.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly.

Given the interest in insider threats, the report also details a possible increase in this threat given the current economic instability. This section of the report simply reiterates other studies and articles on the topic, simply providing context for what could be a growing security trend.

Download the report here.

Via eweek

McAfee launched a new web series this week entitled H*Commerce: The Business of Hacking You at StopHCommerce.com

H*Commerce, Hacker Commerce, is the “business of making money through the illegal use of technology to compromise personal and business data.” The new series will air 6 episodes, one episode being added every two weeks. Each episode involves real people doing normal online activities who are then attacked by cybercriminals. Each episode focuses on real stories in a documentary-style.

Here is the first webisode, “Unexpected Beginnings”, telling the story of Janella Spears, who lost more than $440,000 as the result of an email scam. The video explores the effects this cybercrime had on Janella and her family as well as Janella’s education in how to clean her system, handle hackers and stop cybercrime scams.

McAfee also recently launched a Cybercrime Response Unit designed to help victims of cybercrime.

Melissa Hathaway, who was appointed earlier this year to conduct a 60-day review of the cyber security efforts of the U.S. Government, presented at the RSA Conference on information security, with the report set to be released in a few days.

Melissa notes that our global digital infrastructure is neither secure nor resilient, driven by interoperability and efficiency rather than security. She notes that previous attempts at cybersecurity have been made in isolation and have failed; the Federal government is not organized to address this growing issue because responsibilities for cyberspace are distributed widely across federal departments and agencies.

During the 60-day review, the cybersecurity team identified 250 needs, tasks and recommendations for a national cyber security plan. The recommendation outlines a top-down approach to cyber security, with the White House leading the way and overseeing and working with other government agencies, State and local stakeholders, as well as those in academia and the industry.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society.

Here’s a video of Melissa’s speech:

The speech, if somewhat repetitive and littered with political fluff, does hint at many changes to come. Almost nothing was specified yet, and many are critical of it. Let’s hope the report released in a few days will specify a bit more. Attempting to muster resources on the National and International level, across the government and private sectors, won’t be an easy task!

Download Melissa Hathaway’s prepared remarks here [PDF]

A new National cybersecurity bill is currently being introduced to legislation by Senator Rockefeller (Chairman for the Committee on Commerce, Science, and Transportation) and Senator Snowe. The bill would create the Office of the National Cybersecurity Advisor within the Executive Office of the President, an advisory position that would report directly to the President and serve as lead on all cyber matters. This position would co-ordinate with the intelligence community as well as civilian agencies.

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

The US Government Accountability Office (GAO) recently released highlights of their study on Cybersecurity. The report notes that key improvements are needed to strengthen the Nation’s posture and criticizes the Department of Homeland Security (DHS) strongly for having “yet to fully satisfy its responsibilities designated by the national cybersecurity strategy.” Here’s a summary of the report:

Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy.

The GAO made 30 recommendations in key cybersecurity areas, including bolstering cyber analysis and warning capabilities, completing actions identified during cyber exercises, improving cybersecurity of infrastructure control systems, strengthening DHS’ ability to help recover from Internet disruptions and addressing cybercrime.

In addition to these areas identified as needing improvement, the GAO report identified 12 key strategy improvements:

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy
3. Establish a governance structure for strategy implementation
4. Publicize and raise awareness about the seriousness of the cybersecurity problem
5. Create an accountable, operational cybersecurity organization
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans
7. Bolster public/private partnerships through an improved value proposition and use of incentives
8. Focus greater attention on addressing the global aspects of cyberspace
9. Improve law enforcement efforts to address malicious activities in cyberspace
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts
11. Increase the cadre of cybersecurity professionals
12. Make the federal government a model for cybersecurity

The GAO says that the nation’s federal and private-sector infrastructure systems remain at risk without these improvements. They suggest the new administration consider these improvements as part of the nation’s cybersecurity strategy.

Via network world

President Barack Obama named Melissa Hathaway to lead a 60-day review of the cybersecurity efforts of the US Government. Hathaway thus became the Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils.

Melissa Hathaway, who has served as Cyber Coordination Executive to the Director of National Intelligence, chaired the National Cyber Study Group, a group responsible for helping develop a 5-year $30 billion dollar plan to secure federal systems and infrastructure against online threats. This Comprehensive National Cyber Security Initiative (CNCI) was approved by Bush earlier last year and is still being implemented.

The new review will look at ongoing security programs, plans and activities and will develop recommendations to ensure they continue to meet the needs of both the public and private sectors. Essentially, Hathaway will be reviewing the progress of the existing CNCI plan and offering advice to keep it moving forward.

“The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties,” said Assistant to the President for Counterterrorism and Homeland Security John Brennan.

As part of her task, Hathaway will reportedly evaluate a recommendation that a special White House “cyberadviser” role be created (something Obama echoed on the campaign trail). It is suggested that this role report directly to the President rather than leaving cybersecurity to the Department of Homeland Security. This type of role would help create a comprehensive plan for cybersecurity, an issue that spans all government agencies.

Via CSO Online, Computerworld, Govtech, White House, USA Today, WSJ ; Image: clipart