June 24, 2011

Business Monitor International. (2011, June). Global cyber security outlook. China Defense and Security Report. Retrieved from http://www.businessmonitor.com [Full text available in the Business Source Complete database.]

Analysis of global incidents and issues in the first quarter of 2011 from a well-regarded risk and industry trends analysis firm.

National Cyber-Security Alliance. (2011, May). The state of K-12 cyberethics, cybersafety, and cybersecurity curriculum in the United States. Retrieved from http://bit.ly/iNPZw9

Results of a Microsoft-funded study that suggests that US K-12 students are not being adequately prepared to work in environments where cybersecurity is a concern.

Parkinson, D. (2011, January - February). Funding the new home guard. SC Magazine, 22(2), 20-23. Retrieved from http://www.scmagazineus.com [Full text available in the Computer and Applied Sciences Complete database.]

"... focuses on the 650 million pounds funding for the National Cyber Security Programme in Great Britain. The five major strands to the new programme are mentioned, one of which is a cyber infrastructure team in the Department for Business, Innovation and Skills. The vulnerabilities of the National Infrastructure to cyber attacks are discussed. It adds that Alan Michael of the Parliamentary Information Technology Committee considers the challenge of Internet security as the most complex issue [they have] ever faced."

Somaiya, R., and Lohr, S. (2011, June 23). Arrest puts spotlight on brazen hacking group LulzSec. New York Times, p. B1. Retrieved from http://www.nytimes.com/2011/06/24/technology/24hack.html

"As suspects go, Ryan Cleary did not look dangerous ... But charges by the British police link Mr. Cleary to a hacking group called Lulz Security, or LulzSec, which has been on an Internet crime spree in recent weeks, attacking Web sites and computer networks including those of the United States Senate, the Central Intelligence Agency and Sony." [More on LulzSec's release of Arizona law enforcement data this week, with document examples.]

United States. Department of Homeland Security. (2011, June). Risk management strategy for the private domain name resolution services critical function. Retrieved from http://www.dhs.gov/xlibrary/assets/it-sector-risk-management-strategy-domain-name-resolution-services-june2011.pdf

Outlines mitigation responses to three 'risks of concern' when using the DNS program: information disclosure / privacy loss, policy failure, and large scale attacks on infrastructure

June 17, 2011

Farwell, J. (2011, June 15). Stuxnet and the future of cyber war. Retrieved from http://www.iiss.org/events-calendar/forthcoming-events/james-farwell-on-stuxnet-and-the-future-of-cyber-war/

Defense consultant and author James Farwell speaks at an International Institute for Strategic Studies conference on 6/15/11. UMUC students and faculty can request the related article at no cost through DocumentExpress.

Leavitt, N. (2011, June). Mobile security: Finally a serious problem? Computer, 44(4), 11-14. Retrieved from http://www.computer.org/portal/web/computer [Full text available in the IEEE Computer Science Digital Library database]

"The growing popularity of wireless technology may have finally attracted enough hackers to make the potential for serious security threats a reality."

National Science and Technology Council. (2011, June). Policy framework for the 21st century grid: Enabling our secure energy future. Retrieved from http://www.whitehouse.gov/sites/default/files/microsites/ostp/nstc-smart-grid-june2011.pdf

"This report highlights ... efforts that are needed to take advantage of opportunities made possible by modern information, energy, and communications technology. It also provides a policy framework that promotes cost-effective investment, fosters innovation to spur the development of new products and services, empowers consumers to make informed decisions with better energy information, and secures the grid against cyber attacks. Facilitating a smarter and more secure grid will require sustained cooperation among the private sector, state and local governments, the Federal Government, consumer groups, and other stakeholders. Such progress is important to ensure that the United States is a world leader in the 21st century economy, is at the forefront of the clean energy revolution, and wins the future by encouraging innovation.”

Schwartz, N. D., & Dash, E. (2011, June 13). Thieves found CitiBank cite an easy entry. New York Times, p. A1. Retrieved from http://www.nytimes.com/2011/06/14/technology/14security.html

"Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May. That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years. The case illustrates the threat posed by the rising demand for private financial information from the world of foreign hackers" [see also "Citi Says Many More Customers Had Data Stolen by Hackers", 6/16/11.]

Shore, M., Du, Y., & Zeadally, S. (2011). A public-private partnership model for national cybersecurity. Policy and Internet, 3(2). doi:10.2202/1944-2866.1114 [Full text available with free registration at http://www.psocommons.org/policyandinternet/vol3/iss2/art8/]

"Many governments have established public-private partnerships to manage critical infrastructure protection, one element of which is telecommunications. However, in New Zealand these collaborative efforts have had limited success and the rapid increase in use of the Internet to support both society and commerce has led to the need for a more specific focus in this area. While regulation is an effective means of forcing action by industry, it can lead to significant unintended consequences and undesirable behaviours. This article explores how governments can have confidence in the safety and protection of their critical national infrastructures through a model of assured public-private partnership that is based on an incentivised adoption approach to drive optimal outcomes within the New Zealand context."

June 10, 2011

Breaux, T. D., & Baumer, D. L. (2011). Legally “reasonable” security requirements: A 10-year FTC retrospective. Computers and Security, 30(4), 178-193. Retrieved from http://www.elsevier.com/cose [Full text available in the Web of Science database]

"Growth in electronic commerce has enabled businesses to reduce costs and expand markets by deploying information technology through new and existing business practices. However, government laws and regulations require businesses to employ reasonable security measures to thwart risks associated with this technology. Because many security vulnerabilities are only discovered after attacker exploitation, regulators update their interpretation of reasonable security to stay current with emerging threats. With a focus on determining what businesses must do to comply with these changing interpretations of the law, we conducted an empirical, multi-case study to discover and measure the meaning and evolution of “reasonable” security by examining 19 regulatory enforcement actions by the U.S. Federal Trade Commission (FTC) over a 10 year period. The results reveal trends in FTC enforcement actions that are institutionalizing security knowledge as evidenced by 39 security requirements that mitigate 110 legal security vulnerabilities."

Conti, G., Babbitt, T., & Nelson, D. (2011, May/June). Hacking competitions and their untapped potential for security education. IEEE Security and Privacy, 9(3), 56-59. Retrieved from http://www.computer.org/portal/web/sp/home [Full text available in the IEEE Computer Science Digital Library database]

"Academia and the computer security industry have widely adopted hacker competitions, such as DEF CON’s Capture the Flag (CTF), to augment information security education. Many other hacker competitions, however, are less known. Here we examine these untapped competitions’ potential and identify those that can energize and enhance information security education in both the classroom and the industry."

Gjelten, T. (2011, June 9). Divisions seen in administration over cybercrime. Retrieved from http://www.npr.org/2011/06/09/137070593/divisions-seen-in-administration-over-cyberthreats

Highlights conflict within the Obama administration over the severity of the threat of computer/hacking-related threats to national security:

"At issue is whether the nation faces the prospect of cyberwar and needs to prepare for it. The Pentagon says yes. Howard Schmidt, the White House coordinator for cybersecurity, sees such talk as "hype" and rejects the "cyberwar" term. "My father was in a war, my son has been in a war, I've been in a war, and this is not what we're going through right now," Schmidt said in an interview with NPR. "There are a whole lot of ramifications about using that term in any context, and even more in using the term 'cyberwar.'" [Audio and transcript available.]

Mueller, R. (2011, June 8). [Testimony before the Senate Judiciary Committee]. Retrieved from http://www.c-spanvideo.org/program/FBIDirec

Robert Mueller's testimony RE: the extension of his term as FBI director with discussion of cybersecurity-related threats. Searchable transcript with direct links to testimony segments available.

National Institute of Standards and Technology. (2011, June). Guide to industrial control system (ICS) security (Special Publication 800-82). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

"[This publication] provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. Special Publication 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is the finalization of the final public draft, and includes updates with respect to the Risk Management Framework and current activities."

Panetta, L. et al. (2011, June 9). [Confirmation hearing for Secretary of Defense Leon Panetta]. Retrieved from http://www.c-spanvideo.org/program/DefenseConfirm

Numerous references to cybersecurity by Panetta, stressing its importance as a key security measure. Searchable transcript with direct links to testimony segments available.

Scholtz, T. (2011, May 4). Articulating the business value of information security. Retrieved from http://www.gartner.com [Full text available in the Gartner database]

"Clearly articulating the business value of information security remains one of the major obstacles that information security managers are facing. The benefits of information security must be translated into business terminology."

June 3, 2011

Ben-David, Y., Hasan, S., Pal, J., Vallentin, M., Panjwani, S., Gutheim, P. ... Brewer, E. (2011). Computing security in the developing world: A case for multidisciplinary research. Paper to be presented at the 5th ACM Workshop on Networked Systems for Developing Regions, Bethesda, MD. New York, NY: Association for Computing Machinery. Retrieved from http://www.eecs.berkeley.edu/~yahel/papers/Case4security-in-er-draft.pdf

Technology users in the developing world face a varied and complex set of computer security concerns. These challenges are deeply tied to a range of contextual factors including poor infrastructure, non-traditional usage patterns, and different attitudes towards security, which make simply importing security solutions from industrialized nations inadequate. Recognizing this, we describe some of the specific security risks in developing regions and their relationships with technical, political, social, and economic factors. We present concrete examples of how these factors affect the security of individuals, groups, and key applications such as mobile banking. Our analysis highlights the urgency of the concerns that need attention and presents an important intellectual challenge for the research community."

Center for a New American Security. (2011, June 1). America's cyber future: Security and prosperity in the information age. Retrieved from http://www.cnas.org. [Full text available in the Homeland Security Digital Library database and at http://www.cnas.org/node/6405]

"To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology."

Harknett, R. J., & Stever, J. A. (2011). The new policy world of cybersecurity. Public Administration Review, 71(3), 455-460. doi:10.1111/j.1540-6210.2011.02366.x [Full text available in the Business Source Complete database.]

"Past presidential administrations recognized that cybersecurity necessitates a comprehensive national policy to protect electronically transmitted and stored information from intrusion. But so far, development of a coherent cybersecurity policy has proven to be a daunting task. A feasible policy framework that systematically arrays the issues and specifies parameters of constraints is lacking, and articulated policies and strategies are narrowly focused and implemented incrementally. The authors argue that recent government documents related to cyberspace form a positive foundation on which to build a comprehensive policy.

Locasto, M.E., Ghosh, A. K., Jajodia, Sushil, & Stavrou, A. (2011). The ephemeral legion: Producing an expert cyber-security work force from thin air. Communications of the ACM, 54(1), 129-131. Retrieved from http://cacm.acm.org. [Full text available in the ACM Digital Library database]

"The current rate of production of skilled cyber-security workers satisfies the appetite of neither the public nor private sector, and if we do not make a concerted effort to drastically increase this work force, then the U.S. will export high-paying information security jobs."

New York Times coverage of attack on Gmail

Markoff, D., & Barboza, A. (2011, June 2). Hackers from China hit Gmail, Google says. New York Times, p. B1. Retrieved from www.nytimes.com [Full text text available in ProQuest Newspapers database and at http://www.nytimes.com/2011/06/02/technology/02google.html]

Richtel, M., & Kopytoff, V. G. (2011, June 3). E-Mail fraud hides behind friendly face. New York Times, p. A1. Retrieved from www.nytimes.com [Full text available in ProQuest Newspapers database and at http://www.nytimes.com/2011/06/03/technology/03hack.html]