This blog has moved

Future postings will be made at:

cybersecurityupdate.wordpress.com

March 8, 2012

National Cybersecurity

Heat wave: US administration tries to 'stimulate' support for Senate cybersecurity bill. (2012, March 8). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24411/heat-wave-us-administration-tries-to-simulate-support-for-senate-cybersecurity-bill/

The Obama administration on Wednesday simulated a cyber attack on the New York City power grid during a summer heat wave in an effort to convince US senators to pass comprehensive cybersecurity legislation. The Justice Department, the FBI, the National Security Agency, and the Department of Homeland Security (DHS) conducted the simulation during a briefing with senators hosted by Sen. Jay Rockefeller (D-W.Va.), one of the sponsors of the administration-backed Cybersecurity Act introduced last month.
The demonstration was “intended to provide all senators with an appreciation for new legislative authorities that could help the U.S. government prevent and more quickly respond to cyber attacks”, Caitlin Hayden, a White House spokeswoman, told Bloomberg in an e-mail.

Krekel, B., Adams, P., & Bakos, J. (2012, March 7). Occupying the information high ground: Chinese capabilities for computer network operations and cyber espionage. Retrieved from http://goo.gl/fL9xo 

The present study is intended to be a detailed follow up and expansion upon a 2009 assessment prepared for the U.S.-China Economic and Security Review Commission of China’s evolving computer network operations capabilities and network intrusion incidents attributed to China. Concern in the United States over alleged Chinese penetrations of both commercial and government networks has only intensified in the past two years as successive incidents have come to light in the media and more organizations voluntarily come forward. The Commission requested a study that both reviewed developments since the 2009 study was completed and examined new issues related to cybersecurity, China, and potential risks to U.S. interests.

Norton, Q. (2012, March 7). Anonymous rocked by news that top hacker snitched to feds. Wired. Retrieved from http://www.wired.com/threatlevel/2012/03/anonymous-sabu-reaction/

On the heels of 25 arrests of Spanish-speaking anons last week, Anonymous was rocked Tuesday by the news that Hector Xavier Monsegur, the legal name of prominent antisec known as Sabu, has been cooperating with the FBI to hunt down other anon hackers from Lulzsec and Antisec.

The chatter on the anon IRC servers and anon-associated Twitter accounts ranged Tuesday from denial about Sabu’s involvement to outrage and hatred for Monsegur. One who worked with Sabu as part of Antisec, the miltant and pranksterish arm of Anonymous, described themselves as “emotionally devastated” and “shocked” by the news. [More from the New York Times.]

Shakelford, S. J. (2012). In search of cyber peace: A response to the Cybersecurity Act of 2012. Stanford Law Review, 64(2), 106-111. Retrieved from http://www.stanfordlawreview.org/sites/default/files/online/articles/64-SLRO-106.pdf

The Cybersecurity Act of 2012, which was recently introduced in the Senate Homeland Security and Governance Affairs Committee, is the latest legislative attempt to enhance the nation’s cybersecurity. If enacted, the bill would grant new powers to the Department of Homeland Security (DHS) to oversee U.S. government cybersecurity, set “cybersecurity performance requirements” for firms operating what DHS deems to be “critical infrastructure,” and create “exchanges” to promote information sharing. In its current form, the bill is a useful step in the right direction but falls short of what is required. Fundamentally the bill misconstrues the scale and complexity of the evolving cyber threat by defining critical infrastructure too narrowly and relying too much on voluntary incentives and risk mitigation strategies. The Act might improve on the status quo, but it will not foster genuine and lasting cybersecurity. Still, it is preferable to the softer alternative SECURE IT Act proposed by senior Republicans.

Enterprise Cybersecurity

Herold, R. (2011). Managing an information security and privacy awareness and training program (2nd ed.). Boca Raton, FL: Auerbach Publications. [Full text available in Books 24x7 database.]

Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies.

McAfee. (2012, March). State of security 2012. Retrieved from http://www.mcafee.com/us/resources/white-papers/wp-state-of-security.pdf

To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest risk to their business. This global study highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012.

Global Cybersecurity  
& broadly applicable items

Arquilla, J. (2012, March-April). Cyberwar is already upon us. Foreign Policy. Retrieved from http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_upon_us?page=full

In the nearly 20 years since David Ronfeldt and I introduced our concept of cyberwar, this new mode of conflict has become a reality. Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.

Chrome browser cracked in two hacker contests. Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24421/chrome-browser-cracked-in-two-hacker-contests/

Google’s Chrome browser was compromised twice this week, once in a Google-sponsored contest and the second time in the Pwn2Own hacker contest at CanSecWest. Researcher Sergey Glazunov hacked the Chrome browser using two vulnerabilities, earning $60,000 out of the $1 million possible purse in the Google-sponsored Pwnium contest.

European Network and Security Agency. (2012, February 29). Cyber Atlantic 2011: Evaluation report. Retrieved from http://www.enisa.europa.eu/activities/res/ca2011/ca2011-report

Following an EU–US commitment to foster greater efforts and cooperation on cyber security at the EU–US Lisbon summit in November 2010, the first joint cyber security exercise between the EU and US was delivered on 3 November 2011 in Brussels, supported by the European Network and Information Security Agency (ENISA) and the US Department of Homeland Security. The day-long table-top exercise, Cyber Atlantic 2011, drew involvement from more than 20 EU Member States, 16 of which were engaged in active participation together with the US. This report summarises the main observations, findings and recommendations from Cyber Atlantic 2011.

Fisher, D. A. (2012, March.) Principles of trust for embedded systems (CMU/SEI-2012-TN-007). Retrieved from http://www.sei.cmu.edu/reports/12tn007.pdf

The development of trusted systems is a long-standing, elusive, and ill-defined objective in many domains. This paper gives substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems and to embedded systems in particular. Principles of trust are identified. Some of their implications for software engineering practice and for the design of hardware-based trusted computing platforms are also discussed.

Goodwin, J. (2012, March 6). Experts at RSA 2012 see cyber security at a major crossroads. Government Security News. Retrieved from http://www.gsnmagazine.com/node/25766

Amid the buoyancy and hoopla so evident at the mammoth RSA cyber security conference in San Francisco last month was the nagging sense that governments and commercial enterprises in the U.S. are losing the cyber war being conducted so relentlessly by their Web-based adversaries.


Jianping, L., Mingu, L., Densheng, W., & Song, H. (2012). An integrated risk measurement and optimization model for trustworthy software process management. Information Sciences, 191, 47-60. doi:10.1016/j.ins.2011.09.040 [Full text available in ScienceDirect database.]

The growing demand for higher trustworthiness of software poses an unprecedented challenge to the software industry. Risk management is the important part for high quality software development processes. However, under the constraints of project cost and duration, it is very difficult to establish the budget for risk management. To integrate efficient risk management and pure software process is the goal of this paper. We propose a software process model with risk management and cost control modules to help improve software process risk management. Furthermore, based on this process model, a measurement model that includes process risk and software trustworthiness metrics is presented. Through risk management effectiveness calculation methods and risk transfer assumptions, a software process risk optimization model is proposed. This model can be used to derive an optimized risk management scheme for the process of trustworthy software development, with constraints of process cost and duration. Simulation cases are then analyzed by this model framework. The results show that risk management is critical to enhance trustworthiness but risk management is an effective complement, rather than the most fundamental process, to enhance the trustworthiness of software. Software developers should adopt appropriate and optimal strategies about risk management inputs, especially in lower CMMI level companies.

Kapersky Lab. (2012, March 7). Kaspersky lab experts discover unknown programming language in the Duqu trojan; appeal to programming community for support in analysis. Retrieved from http://goo.gl/rQPUy

The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim’s machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL. After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the “Duqu Framework.”

Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications. [More from Wired and Infosecurity.]

Lewis, J. A. (2012, March 7). Significant cyber events since 2006. Retrieved from http://csis.org/files/publication/120307_Significant_Cyber_Incidents_Since_2006.pdf

This list is a work in progress that we update as new incidents come to light. If you have suggestions for additions, send them to techpolicy@csis.org. Significance is in the eye of the beholder, but we focus on successful attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.

Schmidt, A. (2012). At the boundaries of peer production: The organization of Internet security production in the cases of Estonia 2007 and Conficker. Telecommunications Policy [in press]. doi: 10.1016/j.telpol.2012.02.001 [Full text available in ScienceDirect database.]  

With the emergence of Internet based communication and collaboration, new forms of production have surfaced that are based on openness and non-proprietary resources. The paper analyses the role of open source and peer production elements in the response to the attacks on Estonian Internet services in 2007 and the Conficker botnet in 2008/2009. While both cases can not be classified as purely peer-produced security, the two cases of incident response examined here do show some of the characteristics of peer production. By applying certain institutional techniques, the communities balance their need for secrecy with their need to widely share information. The paper concludes with an explanatory model for the observed results. For appropriate policy outcomes, it suggests greater consideration of the role of social production by researchers and designers of the organisation of Internet security. 

Wang, S., Hong, L., & Chen, X. (2012). Vulnerability analysis of interdependent infrastructure systems: A methodological framework. Physica A: Statistical Mechanics and its Applications, 391(11), 3323-3335. doi: 10.1016/j.physa.2011.12.043 [Full text available in ScienceDirect database.]

Infrastructure systems such as power and water supplies make up the cornerstone of modern society which is essential for the functioning of a society and its economy. They become more and more interconnected and interdependent with the development of scientific technology and social economy. Risk and vulnerability analysis of interdependent infrastructures for security considerations has become an important subject, and some achievements have been made in this area. Since different infrastructure systems have different structural and functional properties, there is no universal all-encompassing ‘silver bullet solution’ to the problem of analyzing the vulnerability associated with interdependent infrastructure systems. So a framework of analysis is required. This paper takes the power and water systems of a major city in China as an example and develops a framework for the analysis of the vulnerability of interdependent infrastructure systems. Four interface design strategies based on distance, betweenness, degree, and clustering coefficient are constructed. Then two types of vulnerability (long-term vulnerability and focused vulnerability) are illustrated and analyzed. Finally, a method for ranking critical components in interdependent infrastructures is given for protection purposes. It is concluded that the framework proposed here is useful for vulnerability analysis of interdependent systems and it will be helpful for the system owners to make better decisions on infrastructure design and protection.

Zetter, K. (2012, March 6). Hackers vie for more tha $1 million to take down browsers. Wired. Retrieved from http://www.wired.com/threatlevel/2012/03/pwn2own/

As alleged hackers from LulzSec and Anonymous contemplate the possibility of a life behind bars, other hackers are limbering up in Canada this week to vie for more than $1 million in prize money for their hacking prowess. The annual Pwn2Own contest at the CanSecWest security conference is in its sixth year and aims to improve the security of the internet by challenging researchers to find zero-day vulnerabilities and develop exploits to attack them, while disclosing the findings to vendors to allow the companies to patch their products before the vulnerabilities can be exploited in the wild. The contest provides the makers of browser software and other applications with valuable information about security flaws in their products, without having to spend the time and resources to uncover the vulnerabilities themselves.

March 2, 2012

National Cybersecurity

Leiberthal, K., & Singer, P. W. (2012, February). Cybersecurity and U.S.-China relations. Retrieved from http://www.brookings.edu/~/media/Files/rc/papers/2012/0223_cybersecurity_china_us_lieberthal_singer/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf

This is not a technical paper for cyber specialists, but rather is intended to be read by a wider audience. Our goal was to craft a work that will be useful to both American and Chinese readers who are interested in the cyber security issue but are not technical specialists in it. We have written this to be of interest to people in the policy world and in the private sector, as well as the wider public. We have drawn from both Chinese and U.S. sources, and we have deliberately sought to avoid finger pointing. Our hope is that this paper—which is being published in both English and Chinese—will help shape useful discussions in the U.S. and China about a dialogue on cyber issues and, most importantly, to encourage both sides to move forward on this critical effort.

Martin, P. K. (2012, February 29). NASA cybersecurity: An examination of the agency’s information security. Retrieved from http://oig.nasa.gov/congressional/FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf

Report of NASA's inspector general on an investigation that followed the November 2011 attack by hackers on the agency's Jet Propulsion Laboratory.

National Institute of Standards a Technology. Computer Security Division. (2012, February 28). Security and privacy controls for federal information systems
and organizations (NIST Special Publication 800-53, Revision 4). Retrieved from http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf

NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the culmination of a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations. The project was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security. The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period.

Norton, Q. (2012, February 26). Wikileaks pairs with Anonymous to publish intelligency firm's dirty laundry. Wired. Retrieved from http://www.wired.com/threatlevel/2012/02/wikileaks-anonymous-partners/http://www.wired.com/threatlevel/2012/02/wikileaks-anonymous-partners/

The first batch of leaked e-mails [Wikileaks site] purport to show that Stratfor monitored the political prankster group known as The Yes Men on behalf of Dow Chemical, which has been targeted by The Yes Men over the company’s handling of the Bhopal disaster. The e-mails also purport to show Stratfor’s attempt to set up an investment fund with a Goldman Sachs director to trade on the intelligence Stratfor collects, as well as give insight into how the private intelligence firm acquires, and sometimes pays for, information. Stratfor, which bills itself as a private intelligence organization, sells its analyses of global politics to major corporations and government agencies.

United States. Defense Advanced Research Projects Agency. (2012, February 23). High-assurance cyber military systems. Retrieved from http://cryptome.org/2012/03/darpa-hacms.pdf

The Defense Advanced Research Projects Agency is soliciting innovative research proposals in the area of the clean-slate development of software for high-assurance cyber-physical systems. Proposed research should investigate innovative approaches that enable revolutionary advances in science or systems. Specifically excluded is research that primarily results in evolutionary improvements to the existing state of practice.

United States. Government Accountability Office. (2012, February 28). Challenges in securing the modernized electricity grid (GAO-12-50-7T). Retrieved from http://www.gao.gov/assets/590/588913.pdf

The electric power industry is increasingly incorporating information technology (IT) systems and networks into its existing infrastructure as part of nationwide efforts—commonly referred to as the “smart grid”—aimed at improving reliability and efficiency and facilitating the use of alternative energy sources such as wind and solar. Smart grid technologies include metering infrastructure (“smart meters”) that enable two-way communication between customers and electricity utilities, smart components that provide system operators with detailed data on the conditions of transmission and distribution systems, and advanced methods for controlling equipment. The use of these systems can bring a number of benefits, such as fewer and shorter outages, lower electricity rates, and an improved ability to respond to attacks on the electric grid. However, this increased reliance on IT systems and networks also exposes the grid to cybersecurity vulnerabilities, which can be exploited by attackers. Moreover, for nearly a decade, GAO has identified the protection of systems supporting our nation’s critical infrastructure—which include the electric grid—as a governmentwide high-risk area. GAO is providing a statement describing (1) cyber threats facing cyber-reliant critical infrastructures and (2) key challenges to securing smart grid systems and networks. In preparing this statement, GAO relied on its previously published work in this area.

Global Cybersecurity 

 & broadly applicable items

Balwin, A., Gheyas, I., Ioannidis, C., Pym, D., & Williams, J. (2012). Contagion in cybersecurity attacks [preprint]. Retrieved from http://www.abdn.ac.uk/~csc335/contagion.pdf

We develop and estimate a vector equation system of threats to ten important IP services, using SANS-reported data over the period January 2003 to February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems’ defence of sensitivity and criticality and thus delay appropriate information security investments.

Bradbury, D. (2012, February). When borders collide: Legislating against cybercrime. Computer Fraud and Security, 11-15. doi:10.1016/S1361-3723(12)70019-2 [Full text available in ScienceDirect database.]

It may be relatively easy to legislate against cybercrime inside a nation's borders, but how can legislation be enforced when criminals can simply move their activities across the globe?Why can hackers hide in Russia, China, and even Switzerland, happily launching cyber assaults in other countries, safe in the knowledge that it will be difficult for law enforcement in the target countries to take action against them? Have we failed in the creation of international legal standards to solve the problem?

Cavelty, M. D. (2012). The militarization of cyber security as a source of global tension [preprint]. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2007043

Cyber security is seen as one of the most pressing national security issues of our time. Due to sophisticated and highly publicized cyber attacks, most prominently among them the sabotaging computer worm Stuxnet, it is increasingly framed as a strategic-military concern. The result of this perception is too much attention on the low probability of a large scale cyber attack, a focus on the wrong policy solutions, and a detrimental atmosphere of insecurity and tension in the international system. Though cyber operations will be a significant component of future conflicts, the role of the military in cyber security will be limited and needs to be carefully defined [to be published in the Swiss Federal Institute of Technology Center for Security Studies' Strategic Trends Analysis, 2012.]

Charette, R. (2012, February 24). Smartphones becoming gateways to identity theft. IEEE Risk Factor. Retrieved from http://spectrum.ieee.org/riskfactor/telecom/wireless/smartphones-becoming-gateways-to-identity-theft

There were two stories this week that highlight the need for smartphone owners to look at security on their phones like they do on their other personal computing devices. The first was from Reuters, which on Wednesday reported that about 7 percent of all smartphone owners were victims of identity fraud in 2011. The statistic came the research firm Javelin Strategy & Research, which also stated that its study indicated some 12 million Americans were victims of identity theft last year, a jump of 13 percent from 2011.

European Network and Information Security Agency. (2012, February 28). Cooperation between CERTs and law enforcement agencies in the fight against cybercrime: A first collection of practices. Retrieved from http://www.enisa.europa.eu/act/cert/support/supporting-fight-against-cybercrime/cooperation-between-certs-and-law-enforcement-agencies-in-the-fight-against-cybercrime-a-first-collection-of-practices/at_download/fullReport

The essential aim of this report is to improve the capability of CERTs, with a focus on the national/governmental CERTs (n/g CERTs), to address the network and information security (NIS) aspects of cybercrime. It focuses particularly on supporting n/g CERTs and their hosting organisations in the European Union (EU) Member States in their collaboration with the LEAs. It also intends to be a first collection of practices collected from mature CERTs in Europe, including among other things workflows and collaboration with other key players, in particular different law enforcement authorities, in the fight against cybercrime.

Google. (2012, February 27). Pwnium: Rewards for exploits. Retrieved from http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html

This year at the CanSecWest security conference, we will once again sponsor rewards for Google Chrome exploits. This complements and extends our Chromium Security Rewards program by recognizing that developing a fully functional exploit is significantly more work than finding and reporting a potential security bug. The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.

Kim, S. H., Wang, W., & Ullrich, J. B. (2012). A comparative study of cyberattacks. Communications of the ACM, 55(3), 66-73. doi:10.1145/2093548.2093568 [Full text available in ACM Computer Science Digital Library database.]

Cyber attacks are computer-to-computer attacks undermining the confidentiality, integrity, and/or availability of computers and/or the information they hold. The importance of securing cyberspace is increasing, along with the sophistication and potential significance of the results of the attacks. Moreover, attacks involve increasingly sophisticated coordination among multiple hackers across international boundaries, where the aim has shifted from fun and self-satisfaction to financial or military gain, with clear and self-reinforcing motivation.

Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in light of cyber-warfare. Computers & Security [preprint]. doi:10.1016/j.cose.2012.02.009 [Full text available in ScienceDirect database.]

Supervisory Control and Data Acquisition (SCADA) systems are deployed worldwide in many critical infrastructures ranging from power generation, over public transport to industrial manufacturing systems. Whilst contemporary research has identified the need for protecting SCADA systems, these information are disparate and do not provide a coherent view of the threats and the risks resulting from the tendency to integrate these once isolated systems into corporate networks that are prone to cyber attacks. This paper surveys ongoing research and provides a coherent overview of the threats, risks and mitigation strategies in the area of SCADA security.

Palmer, M. (2012, February 22). GPS jammers threaten ships in Channel. Financial Times. [Full text available in ABI/INFORM Complete database.]

The illegal use of devices that block global positioning system signals is likely to cause a serious shipping accident in the English Channel within 10 years, senior academics will warn on Wednesday. The dependence on GPS is increasing across industry, in everything from aviation, financial-securities transactions and mining to road tolls, weather forecasting and synchronising the time in mobile base stations. The European Commission estimated last year that about EUR800bn of the EU economy depends on satellite navigation. But experts warn that this dependence is a vulnerability, as the system relies on weak satellite signals from 20,000km away in space, which can be easily interfered with, either accidentally or maliciously.

Perlroth, N., & Markoff, J. (2012, February 26). In attack on Vatican web site, a glimpse of hackers' tactics. New York Times. Retrieved from  

http://www.nytimes.com/2012/02/27/technology/attack-on-vatican-web-site-offers-view-of-hacker-groups-tactics.html

Anonymous, which first gained widespread notice with an attack on the Church of Scientology in 2008, has since carried out hundreds of increasingly bold strikes, taking aim at perceived enemies including law enforcement agencies, Internet security companies and opponents of the whistle-blower site WikiLeaks. The group’s attack on the Vatican was confirmed by the hackers and is detailed in a report that Imperva, a computer security company based in Redwood City, Calif., plans to release ahead of a computer security conference here this week. It may be the first end-to-end record of a full Anonymous attack. [Wired on Monday's arrest by INTERPOL of twenty-five alleged members of Anonymous.]

RSA 2012: Firms spend more on encryption to thwart attacks, comply with regs. Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24268/rsa-2012-firms-spend-more-on-encryption-to-thwart-attacks-comply-with-regs/

Organizations are increasing their investment in encryption across the enterprise in response to compliance regulations and cyberattacks, according to a survey by the Ponemon Institute for Thales that was released this week at RSA. The main drivers for deploying encryption are to protect brand reputation (45%), lessen the impact of data breaches (40%), and comply with privacy or data security regulations (39%), according to the survey of 4,000 business and IT managers in the US, UK, Germany, France, Australia, Japan, and Brazil.

More from RSA 2012: Hacking, external actors dominate 2011 data breaches / Cybersecurity certification groups form industry collaborative

February 22, 2012

[Next update 3/2/12]
National Cybersecurity

Johnson, N. B. (2012, February 21). NIST, Md. to operate joint cybersecurity center. FederalTimes. Retrieved from http://www.federaltimes.com/article/20120221/IT01/202210302/1035/IT01

The federal government, in partnership with the state of Maryland and Montgomery County, Md., will launch a National Cybersecurity Center of Excellence that aims to speed industry's development of secure information technology products. The National Institute of Standards and Technology announced the agreement Tuesday through which NIST researchers will share with industry solutions and standards they've developed to improve cybersecurity. NIST's 2012 budget provides $10 million to launch and operate the center.

United States. Congress. Senate. Committee on Homeland Security and Government Affairs. (2012, February 16). Securing America's future: The Cybersecurity Act of 2012. Retrieved from http://www.hsgac.senate.gov/hearings/securing-americas-future-the-cybersecurity-act-of-2012

Video and transcripts of testimony from Sen. John McCain, Janet Napolitano, Tom Ridge, James A. Lewis, and others.

Enterprise Cybersecurity 

BYOD problem: Criminal infiltration and data exfiltration. (2012, February 21). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24033/the-byod-problem-criminal-infiltration-and-data-exfiltration/

A solution to the growing ‘BYOD problem’ can be achieved by extending network access control at the servers to include mobile devices in the field by combining NAC and MDM. The ‘BYOD problem’ can be defined as twofold. Firstly, the increase in users’ own devices accessing corporate servers is an infiltration threat. Secondly, the habit of downloading sensitive data onto insecure and frequently lost and stolen mobile devices is an exfiltration threat. An IDC survey in July 2011 (2011 Consumerisation of IT Study: Closing the Consumerisation Gap) found that 40.7% of devices used to access business applications are the users’ own devices, including home PCs, smartphones and tablets.  BYOD-facilitated infiltration and exfiltration are both rapidly growing problems.

Global Cybersecurity 

& broadly applicable items

Jones, R. A., & Horowitz, B. (2012). A system-aware cyber security architecture. Systems Engineering, 15(2) [preprint]. [Full text can be requested at no cost from DocumentExpress.]

As exemplified in the 2010 Stuxnet attack on an Iranian nuclear facility, attackers have the capabilities to embed infections in equipment that is employed in nuclear power systems. In this paper, a new systems engineering focused approach for mitigating such risks is described. This approach involves the development of a security architectural formulation that integrates a set of reusable security services as an architectural solution that is an embedded component of the system to be protected. The System-Aware architectural approach embeds security components into the system to be protected. The architecture includes services that (1) collect and assess real-time security relevant measurements from the system being protected, (2) perform security analysis on those measurements, and (3) execute system security control actions as required. This architectural formulation results in a defense that is referred to as System-Aware Cyber Security. This includes (1) the integration of a diverse set of dynamically interchangeable redundant subsystems involving hardware and software components provided from multiple vendors to significantly increase the difficulty for adversaries by avoiding a monoculture environment, (2) the development of subsystems that are capable of rapidly changing their attack surface through hardware and software reconfiguration (configuration hopping) in response to perceived threats, (3) data consistency checking services (e.g., intelligent voting mechanisms) for isolating faults and permitting moving surface control actions to avoid operations in a compromised configuration, and (4) forensic analysis techniques for rapid post-attack categorization of whether a given fault is more likely the result of an infected embedded hardware or software component (i.e., cyber attack) or a natural failure. In this paper we present these key elements of the System-Aware Cyber Security architecture and show, including an application example, how they can be integrated to mitigate the risks of insider and supply chain attacks. In addition, this paper outlines an initial vision for a security analysis framework to compare alternative System-Aware security architectures. Finally, we summarize future research that is necessary to facilitate implementation across additional domains critical to the nation's interest.

Kapersky Labs. (2012, February 22). DDoS attacks in H2 2011. Retrieved from https://www.securelist.com/en/analysis/204792221/DDoS_attacks_in_H2_2011

Detailed analysis of high-profile DDoS attacks that occured in the second half of 2012.

McAfee. (2012, February). McAfee threats report: Fourth quarter 2011. Retrieved from http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2011.pdf

The final quarter of 2011 was one of significant ups and downs in the global threat landscape. The quarter serves as a microcosm for the entire year: 2011 delivered some of the most noteworthy events we have seen to date. High-profile attacks such as Duqu1 and the rise of Anonymous-centric hacktivism made 2011 a truly challenging year for the security business. The increasing attention on industrial control systems mated with growing hacktivist activities could lead to turbulent times in 2012. Looking back at the quarter several things jumped out. Growth in almost all areas of malware and spam declined, with the exception of mobile-based malware. Mobile malware rose during the quarter and recorded its busiest year to date. Android, once again, was the clear choice for malware writers. And although the release of new malware slowed, the total malware we’ve captured still managed to break the 75 million mark, a figure we predicted late in 2011.

McDermott, R. (2012, February). Emotion and security. Communications of the ACM, 55(2), 35-37. [Full text available in the ACM Digital Library database.]

Have you ever tried to convince someone to love you? Or has anyone ever tried to convince you to love them? A person can present the most logical and irrefutable arguments in the world about how well suited you are, how well you get along, how many critical values you share, and how complementary your interests and skills appear. The arguments may even be true. But the problem is you just don't feel it, so no amount of logic ever seems to overcome the lack of emotion. Conversely, if you feel the love, no amount of rational calculation can dissuade you, as the high divorce rate attests. Security is like that as well. There is a reality to it. But there is also a feeling, right or wrong, that undergirds it as well. And those emotions are susceptible to manipulation, both strategic and accidental.

Norton, Q. (2012, February 17). Anonymous promises regularly scheduled Friday attacks. Wired. Retrieved from http://www.wired.com/threatlevel/2012/02/anonymous-friday-attacks/

Anonymous, a group not known for discipline, is giving itself a weekly deadline, a new attack every Friday. Following the Tuesday compromise of the website of tear gas maker Combined Systems, Inc., the Antisec wing of Anonymous struck a Federal Trade Commission webserver which hosts three FTC websites, business.ftc.gov, consumer.gov and ncpw.gov, the National Consumer Protection Week partnership website. “We are already sitting on dozens of unreleased targets,” said an Antisec anon, who went on to describe an inventory of already compromised servers that could fill five months or more of #FFF releases. “Yes, each and every Friday we will be launching attacks… with the specific purpose of wiping as many corrupt corporate and government systems off our internet,” the anon continued.

Polunchenko, A. S., Tartakovsky, A. G., & Mukhopadhyay, N. (2012). Near-optimal change point detection with an application to cybersecurity [preprint]. Retrieved from http://arxiv.org/abs/1202.2849

We address the sequential change-point detection problem for the Gaussian model where baseline distribution is Gaussian with variance \sigma^2 and mean \mu such that \sigma^2=a\mu, where a>0 is a known constant; the change is in \mu from one known value to another. First, we carry out a comparative performance analysis of four detection procedures: the CUSUM procedure, the Shiryaev-Roberts (SR) procedure, and two its modifications - the Shiryaev-Roberts-Pollak and Shiryaev-Roberts-r procedures. The performance is benchmarked via Pollak's maximal average delay to detection and Shiryaev's stationary average delay to detection, each subject to a fixed average run length to false alarm. The analysis shows that in practically interesting cases the accuracy of asymptotic approximations is "reasonable" to "excellent". We also consider an application of change-point detection to cybersecurity - for rapid anomaly detection in computer networks. Using real network data we show that statistically traffic's intensity can be well-described by the proposed Gaussian model with \sigma^2=a\mu instead of the traditional Poisson model, which requires \sigma^2=\mu. By successively devising the SR and CUSUM procedures to "catch" a low-contrast network anomaly (caused by an ICMP reflector attack), we then show that the SR rule is quicker. We conclude that the SR procedure is a better cyber "watch dog" than the popular CUSUM procedure.

Souppaya, M., & Scarfone, K. (2012, February). Guidelines for securing wireless local area networks (WLANs): Recommendations of the National Institutes of Standards and Technology (NIST Special Publication 800-153). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf

The purpose of this publication is to provide organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. Recommendations . . . cover topics such as standardized WLAN security configurations, dual connected WLAN client devices, and security assessments and continuous monitoring.

February 17, 2012

National Cybersecurity

Ballenstedt, B. (2012, February 15). Agencies struggle to hire cyber professionals. NextGov. Retrieved from http://wiredworkplace.nextgov.com/2012/02/agencies_struggle_in_hiring_cyber_pros.php

The federal government is doing a great job retaining cybersecurity professionals once they're in federal jobs. The challenge for most agencies is finding and hiring qualified candidates, a new survey suggests. According to the 2012 Career Impact Survey, released Tuesday by (ISC)2, federal cybersecurity professionals are experiencing nearly full employment as well as career advancement opportunities and salary increases in 2011. The survey of 545 federal cybersecurity pros found that 97 percent are currently employed, and only 8 percent were unemployed at any point in 2011. Cybersecurity pros also are seeing pay raises, with 62 percent receiving a salary increase in 2011 and 48 percent expecting one in 2012. Eleven percent of respondents said they received salary increases of 10 percent or higher last year.  

Global Cybersecurity 

& broadly applicable items

Alberts, C. J., Allen, J. H., & Stoddard, R. W. (2012, February). Risk-based measurement and analysis: Application to software security (Technical Note 2012-TN-004). Retrieved from http://www.sei.cmu.edu/reports/12tn004.pdf

For several years, the software engineering community has been working to identify practices aimed at developing more secure software. Although some foundational work has been performed, efforts to measure software security assurance have yet to materialize in any substantive fashion. As a result, decision makers (e.g., development program and project managers, acquisition program offices) lack confidence in the security characteristics of their software-reliant systems. The CERT Program at Carnegie Mellon University's Software Engineering Institute (SEI) has chartered the Software Security Measurement and Analysis (SSMA) Project to advance the state-of-the-practice in software security measurement and analysis. The SSMA Project is exploring how to use risk analysis to direct an organization's software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex software-reliant systems across the life cycle and supply chain. To accomplish this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and refined the SEI Mission Risk Diagnostic (MRD). This report is an update to the technical note, Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025), published in September 2010. This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.

Anonymous mischief continues: Stock exchanges face DDos attacks. (2012, February 16). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23961/anonymous-mischief-continues-us-stock-exchanges-face-ddos-attacks/

The hacktivist group Anonymous launched distributed denial of service (DDoS) attacks on a number of major stock exchanges this week, continuing its reign of information security mischief. The DDoS attacks intermittently took offline the websites of Nasdaq and the BATS Stock Exchanges earlier this week, although none of the exchanges’ trading systems were affected, according to a Reuters report. The Chicago Board Options Exchange website was also taken offline, an exchange spokesperson told Threatpost.

Antunes, N., & Viera, M. (2012). The devils behind web application vulnerabilities. Computer (preprint). doi:http://doi.ieeecomputersociety.org/10.1109/MC.2011.259 [Full text available in the IEEE Computer Science Digital Library database.]

Web applications are frequently deployed with critical security bugs that can be maliciously exploited. Avoiding such vulnerabilities depends on the best practices and tools applied during implementation, testing and deployment phases of the software development cycle. However, many times those practices are disregarded, as developers are frequently not specialized in security and face hard time-to-deploy constraints. Furthermore, the poor efficiency of existing automatic vulnerability detection and mitigation tools opens the door for the deployment of insecure web applications. Realizing the full benefits of secure coding and the limitations of existing tools requires rethinking the way we build web applications. This paper [discusses] the devils behind the security of such applications.

Cyberwar between India and Bangladesh escalates. (2012, February 16). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23956/cyberwar-between-india-and-bangladesh-escalates/

Bangladeshi hackers have been hacking Indian sites, and Indian hackers have been hacking Bangladeshi sites. Now it is escalating as each side calls for ‘cyberwar’ against the other. A week ago the Indian Hackers group announced a ‘cyberwar’ against Bangladesh. This was quickly followed by news that a hacker calling himself ‘Silent Hacker’ had defaced 30 Bangladeshi government websites. Bangladeshi groups hit back. A day later, more than 300 Indian sites were attacked. The Bangladesh Cyber Army posted to Pastebin a list of more than 250 sites it claimed to have hacked. Another list of more than 30 Indian government sites claimed to have been ‘downed by the Bangladesh Cyber Army’ was pasted on 11 February. DDoS is the main method of attack.

Gorman, C. (2012, February 14). Chinese hackers suspected in longterm Nortel breach. Wall Street Journal, p. A1. [Full text available in the Wall Street Journal database.]

For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times. Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers -- who appeared to be working in China -- penetrated Nortel's computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.

O'Connor, C. (2012, February 14). The Jester dynamic: A lesson in asymmetric unmanaged cyberwarfare. Retrieved from http://www.sans.org/reading_room/whitepapers/attacking/jester-dynamic-lesson-asymmetric-unmanaged-cyber-warfare_33889

Sophisticated and complex to implement, long-term cyberattacks are often considered the work of intelligence agencies and crime syndicates. However, the oversight and bureaucracy that comes from such management often hinders the ultimate lethality of the attack. In this paper, we will examine the significant impact a lone-wolf patriot hacker has had over the course of the last two years, and what important lessons we can learn from him on how to wage a successful fight in this domain.

Sengupta, S. (2012, February 15). Criminals exploit stolen customer data from Stratfor. New York Times. Retrieved from http://bits.blogs.nytimes.com/2012/02/15/criminals-exploit-stolen-customer-data-from-stratfor

It began as a case of political hacktivism. Late last year, under the banner of the loose collective known as Anonymous, hackers broke into the systems of Stratfor Global Intelligence Service, a company that analyzes geopolitical risks worldwide. They stole the names, e-mail addresses and credit card numbers of thousands of its subscribers and posted them online for all to see. That information apparently became lucre for criminals with commercial goals. Stratfor customers began receiving e-mails from what, at first glance, looked like Stratfor. An attached PDF file came with what looked like Stratfor letterhead. It warned of the risk of “harmful software” and asked the user to download an antivirus program by clicking on an embedded link. As it turns out, the link downloaded a piece of malicious software. It was detected by Microsoft’s Malware Protection Center, which posted about it on its blog this week.

Wightman, R. (2012, February 14). Valentine's day SCADA tools release. Retrieved from http://www.digitalbond.com/2012/02/14/valentines-day-scada-tools-release/

Free suite of tools designed to expose security flaws in industrial control systems from researchers at Digital Bond.

February 10, 2012

National Cybersecurity

United States. Congress. House. Committee on Energy and Commerce. (2012, February 8). Cybersecurity: Threats to communications networks and private-sector responses. Retrieved from http://energycommerce.house.gov/hearings/hearingdetail.aspx?NewsID=9250

Hearing featuring testimony from representatives of the Internet Security Alliance, the Center for Strategic and International Studies, McAfee, and other organizations.

United States. Department of Homeland Security. Industrial Control Systems Cyber Emergency Response Team. (2012, February 3). SSH scanning activity targets industrial control systems (ICS-Alert-12-034-01). Retrieved from http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-034-01.pdf

ICS-CERT is issuing this alert to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity involving secure shell (SSH) scanning of Internet facing control systems.  As recently as this week, ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks.

Enterprise Cybersecurity

Manners, D. (2012, February 7). The user agent field: Analyzing and detecting the abnormal and malicious in your organization. http://www.sans.org/reading_room/whitepapers/hackers/user-agent-field-analyzing-detecting-abnormal-malicious-organization_33874

Hackers are hiding within the noise of HTTP traffic. They understand that within this noise it is becoming increasingly difficult to detect malicious traffic. They know that overworked analysts have little time to detect malicious/abnormal HTTP traffic hiding amongst a mountain of legitimate HTTP traffic. However hackers may be using unusual, alien to your organization, unique or just plain evil HTTP header request user agents.  When they do they become easier to identify.  This paper aids intrusion analysts in understanding the use agent field and how it can be used to detect malicious traffic.

Global Cybersecurity 

& broadly applicable items

Beyeler, W., Glass, R., & Lodi, G. (2012). Modeling and risk analysis of information sharing in the financial infrastructure. In R. Baldoni & G. Chockler (Eds.), Collaborative financial infrastructure protection. Berlin, Germany: Springer. Retrieved from http://goo.gl/tlO70 

This chapter defines the community of banks as a Complex Adaptive System of Systems and analyses the value of information sharing as a general policy to protect the community against cyber attacks.

ICT SCRM Community Framework Development Project. (2012, February 3). Final report. Retrieved from http://csrc.nist.gov/scrm/documents/umd_ict_scrm_initiatives-report2-1.pdf

Report of the UM Robert H. Smith School of Business team hired by NIST to analyze and make recommendations on improving supply chain risk management.  Cybersecurity is one of the aspects covered by the report.

New Android malware bags millions in revenues. (2012, February 9). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23803/new-android-malware-bags-millions-in-revenues/

A new piece of Android malware named Bmaster has infected hundreds of thousands of devices in China and is able to generate millions of dollars in annual revenue. The Android malware, first highlighted by researcher Xuxian Jiang at North Carolina State University, was uncovered on a third-party marketplace and is bundled with a legitimate application for configuring phone settings, Symantec researcher Cathal Mullaney wrote in a blog posting.

ODVA. (2012). Securing Ethernet / IP networks. Retrieved from http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Securing_EtherNetIP_Network

Best practices from the industrial control systems industry association.

Rubin, J. (2012, February 8). Google Wallet security: PIN exposure vulnerability. Retrieved from https://zvelo.com/blog/entry/google-wallet-security-pin-exposure-vulnerability

Interesting discussion, with links to other resources, of the recently revealed susceptibility of Google Wallet to brute force attacks. [Related article from Infosecurity.]

Zetter, K. (2012, February 7). Flaw in home security cameras exposes live feeds to hackers. Wired. Retrieved from http://www.wired.com/threatlevel/2012/02/home-cameras-exposed/

A flaw in home security cameras made by Trendnet potentially exposed thousands of customers to hackers who could access the live video feeds without a password.  The vulnerability was discovered by a blogger who uses the name “someLuser” and who posted details of the flaw in January, describing how he was able to find vulnerable cameras online by using the Shodan search engine, which allows users to find internet-connected devices using simple search terms . . . Within days of his revelation, readers had found more than 600 cameras through their web addresses, which included cameras inside businesses and children’s bedrooms. As more cameras were exposed, some readers posted screenshots from the cameras as well as Google Maps purporting to identify the exact location of the cameras.

Zetter, K. (2012, February 7). Hackers release Symantic source code after failed $50K extortion attempt. Wired. Retrieved from http://www.wired.com/threatlevel/2012/02/symantec-extortion-attempt/

Hackers with the Anonymous collective have released source code for Symantec’s pcAnywhere product after failing to secure $50,000 from the company in an extortion attempt.  A hacker going by the online name YamaTough published 1.27 GB of the source code on Pirate Bay Monday night after negotiations to extort money from someone he believed was a Symantec employee fell through. In reality, the Symantec “employee” was an undercover law enforcement agent who was using a fake Symantec email address to communicate with the hacker.

February 3, 2012

National Cybersecurity

Clapper, J. R. (2012, January 31). Unclassified statement for the record on the worldwide threat assessment of the U.S. intelligence community for the Senate Select Committee on Intelligence. Retrieved from http://intelligence.senate.gov/120131/clapper.pdf

Statement from the Director of National Intelligence in the 1/31/12 hearing "Current and Projected National Security Threats" [video].

Critical infrastructure firms woefully short on cybersecurity spending (2012, February 2). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23625/critical-infrastructure-firms-woefully-short-on-cybersecurity-spending/ 

US critical infrastructure companies would need to spend nine times more on cybersecurity in order to prevent a surprise digital assault, according to a new report by Bloomberg Government and the Ponemon Institute. The 172 US critical infrastructure organizations surveyed in the study said that they currently spend $5.3 billion on cybersecurity. They estimated that they would have to spend $46.6 billion over the next 12 to 18 months to reach a level of security where they could stop 95% of cyberattacks.

House panel approves critical infrastructure cybersecurity bill. (2012, February 12). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23644/house-panel-approves-critical-infrastructure-cybersecurity-bill/

A US House panel has approved legislation that would encourage critical infrastructure companies to adopt cybersecurity best practices and would give the Department of Homeland Security (DHS) responsibility for safeguarding critical infrastructure cybersecurity. The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act, introduced by Rep. Dan Lungren (R-Calif.) and Rep. Peter King (R-N.Y.), would require DHS to conduct an evaluation of cybersecurity risks to critical infrastructure and determine the best mitigation methods.

Global Cybersecurity 
& broadly applicable items

Bachman, S. (2012). Hybrid threats, cyber warfare and NATO’s comprehensive approach for countering 21st century threats – mapping the new frontier of global risk and security management. Amicus Curiae, 88 (in press). Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989808

Multimodal, low intensity, kinetic as well as non-kinetic threats to international peace and security including cyber war, low intensity asymmetric conflict scenarios, global terrorism, piracy, transnational organized crime, demographic challenges, resources security, retrenchment from globalization and the proliferation of weapons of mass destruction were identified by NATO as so called "Hybrid Threats" . . . This short article introduces the reader to a new form of global threat scenario and the possibilities of response and deterrence within their wider legal and political context. 

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, January). Computer security incident handling guide (draft 2): Recommendations of the National Institute of Standards and Technology (Special Publication 800-61). Retrieved from http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf

This publication seeks to help both established and newly formed incident response teams. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This revision of the publication, Revision 2, updates material throughout the publication to reflect the changes in threats and incidents. Unlike most threats several years ago, which tended to be short-lived and easy to notice, many of today’s threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts. Identifying these threats in their early stages is key to preventing subsequent compromises, and sharing information among organizations regarding the signs of these threats is an increasingly effective way to identify them. 

Don't trust satellite phones - the GMR-1 and GMR-2 ciphers have been broken. (2012, February 12). Cryptanalysis. Retrieved from http://cryptanalysis.eu/blog/2012/02/02/dont-trust-satellite-phones-the-gmr-1-and-gmr-2-ciphers-have-been-broken/

Analysis of the reverse engineering and breaking of the ciphers used in many satellite phone systems by Ruhr Universität Bochum researchers Benedikt Driessen and Ralf Hund. [More from Infosecurity.]

Geers, K. (2012). Strategic cyber defense - which way forward? Journal of Homeland Security and Emergency Management, 9(1), 1-10. Retrieved from http://www.ccdcoe.org/articles/2012/Geers_StrategicCyberDefense.pdf

Cyber security has evolved from a technical discipline to a strategic, geopolitical

concept. The question for national security thinkers today is not how to protect

one or even a thousand computers, but millions, including the “cyberspace”

around them.  Strategic challenges require strategic solutions. This article considers four nation-state approaches to cyber attack mitigation.

Grauman, B. (2012, January 30). Cyber-security - the vexed question of global rules: An independent report on cyber-preparedness around the world. Retrieved from http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf

This report is published as part of the Security & Defence Agenda's (SDA) cyber-security initiative. It is intended as a snapshot of current thinking around the world on the policy issues still to be resolved, and will form the basis of SDA debates and future research during 2012. [Related article from Government Security News.]

Menn, J. (2012, February 2). Key internet operator VeriSign hit by hackers. Reuters. Retrieved from http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202

VeriSign Inc, the company in charge of delivering people safely to more than half the world's websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company.  The previously unreported breaches occurred in 2010 at the Reston, Virginia-based company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov

Upcoming webcast: Sachs, M. H. (2012, February 15). Top 10 tips to protect your organization from cyber attacks. Retrieved from http://msisac.cisecurity.org/webcast/2012-02/index.cfm

Multi-state Information Analysis and Awareness Center sponsored talk by Verizon's Vice President of National Security Policy.  Free registration is required.

Stuttard, D., & Pinto, M. (2012). The web application hacker's handbook: Finding and exploiting security flaws (2nd ed.).  Hoboken, NJ: John Wiley & Sons. [E-book available in the Books 24x7 database.]

Containing the most current attack techniques and countermeasures, this practical book discusses the latest step-by-step methods for attacking and defending the range of ever-evolving web applications.

January 27, 2012

National Cybersecurity

United States. Executive Office of the President. (2012, January). National strategy for global supply chain security. Retrieved from https://www.hsdl.org/?view&did=698202

A strategy for insuring the security and resiliency of "the worldwide network of transportation, postal, and shipping pathways, assets, and infrastructures by which goods are moved from the point of manufacture until they reach an end consumer, as well as supporting communications infrastructure and systems."

Global Cybersecurity 
& broadly applicable items

Alsaleh, M., Mannan, M., & Oorschot, P. C. (2012). Revisiting defenses against large-scale online password guessing attacks. IEEE Transactions in Secure and Dependable Computing, 9(1), 128-141. [Full text available in the IEEE Computer Science Digital Library database.]

Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address large-scale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals.

Bryan-Low, C. (2012, January 23). Hackers-for-hire are easy to find. Wall Street Journal. Retrieved from http://online.wsj.com/article/SB10001424052970203471004577145140543496380.html

Sitting in his Los Angeles home, Kuwaiti billionaire Bassam Alghanim received an alarming call from a business associate: Hundreds of his personal emails were posted online for anyone to see.  Mr. Alghanim checked and found it to be true, according to a person familiar with the matter. The emails included information on his personal finances, legal affairs, even his pharmacy bills, this person said.  That led to another surprise. Mr. Alghanim discovered the person who had allegedly commissioned the hackers was his own brother, with whom he is fighting over how to divide up billions of dollars of joint assets. Mr. Alghanim's lawyers allege in court filings that the brother hired investigators to illegally access his email with the help of Chinese hackers. Cost to hire the hackers: about $400.

Cappelli, D., Moore, A. P., Trzeciak, R. F. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Boston, MA: Addison-Wesley Professional. [E-book available in the Safari Books Online database.]

This book ... conveys the big picture of the insider threat problem over time: the complex interactions and unintended consequences of existing policies, practices, technology, insider mindsets, and organizational culture. Most important, it offers actionable recommendations for the entire organization, from executive management and board members to IT, data owners, HR, and legal departments.

Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81. [Full text available in the ACM Digital Library database.]

On the surface, phishing attacks may seem to be a variant of spam. However,
such attacks can lead to damaging losses in terms of identity theft, sensitive intellectual property and customer information, and national-security secrets. Phishing attacks are also increasingly pervasive and sophisticated. Phishing has spread beyond email to include VOIP, SMS, instant messaging, social networking sites, and even massively multiplayer games. Criminals have also shifted from sending mass-email messages, hoping to trick anyone, to more selective “spearphishing” attacks that use relevant contextual information to trick specific victims.

IT security budgets are expected to rise this year. (2012, January 25). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23474/it-security-budgets-are-expected-to-increase-this-year/

More than half of organizations expect to increase their information security spending in 2012, some by 8% of more, according to a survey by the Enterprise Strategy Group (ESG). In addition, information security initiatives were identified by IT professionals as one of the top five IT priorities for 2012.  ESG also found that 35% of organizations plan to hire additional security staff; 23% of organizations believe that there is a “problematic shortage” of security skills in their organization.

King, C. (2012, January). Spotlight on: Malicious insiders and organized crime activity (CMU/SEI-2012-TN-001). Retrieved from http://www.sei.cmu.edu/library/abstracts/reports/12tn001.cfm?WT.DCSext.abstract

The focus of this report is on current or former employees, contractors, or business partners who were affiliated with, or are considered to be part of, organized crime. The case material came from a mixture of court documents, Department of Justice press releases, interviews, and media reports. This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why. This report concludes with a summary of the relevant details of the highlighted cases and offers recommendations that could potentially mitigate the risk of similar occurrences.

NQ Mobile / National Cybersecurity Alliance. Report on consumer behaviors and perceptions of mobile security. Retrieved from http://docs.nq.com/NQ_Mobile_Security_Survey_Jan2012.pdf

From a related Infosecurity article: "The report, conducted independently, surveys 1,158 American smartphone users and provides a thorough and sometimes surprising insight into consumers’ attitudes toward and understanding of mobile security. It highlights, for example, that business really should be concerned about the security implications of evolving consumerization (or ‘bring your own device’) in the workplace."

Perlroth, N. (2012, January 22). Flaws in videoconferencing may open up board room to hackers. New York Times. [Full text available in the New York Times database.]

One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.  With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

Rockwell, M. (2012, January 23).  LANL says researchers have developed rock-solid quantum cryptography for handheld device. Government Security News. Retrieved from http://www.gsnmagazine.com/node/25496

Researchers at the Los Alamos Nuclear Laboratory have developed a miniature transmitter that can bring strong security to handheld devices like tablet computers or smart phones and could replace a range of security systems, including those at border crossings.  The laboratory said on Jan. 20 that it had developed a miniature transmitter that communicates with a trusted authority to generate random cryptographic keys to encode and decode information. Researchers at the lab said the technology was “an impenetrable line of defense” called the QKarD (Quantum Smart Card) that loads quantum cryptography onto a smart card or smart phone.

Zettrer, K. (2012, January 24). 10K reasons to worry about critical infrastructure. Wired. Retrieved from http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/

A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.  Infrastructure software vendors and critical infrastructure owners have long maintained that industrial control systems  . . . are not at risk of penetration by outsiders because they’re “air-gapped” from the internet — that is, they’re not online.  But Eireann Leverett, a computer science doctoral student at Cambridge University, has developed a tool that matches information about ICSes that are connected to the internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target an industrial control system.

Zuo, Y. (2012). Survivability experiment and attack characteristics for RFID. IEEE Transactions in Secure and Dependable Computing, 9(2), 289-302. [Full text available in the IEEE Computer Science Digital Library database.]

Radio Frequency Identification (RFID) has been developed as an important technique for many high security and high integrity settings. In this paper, we study survivability issues for RFID. We first present an RFID survivability experiment to define a foundation to measure the degree of survivability of an RFID system under varying attacks. Then we model a series of malicious scenarios using stochastic process algebras and study the different effects of those attacks on the ability of the RFID system to provide critical services even when parts of the system have been damaged. Our simulation model relates its statistic to the attack strategies and security recovery. The model helps system designers and security specialists to identify the most devastating attacks given the attacker's capacities and the system's recovery abilities. The goal is to improve the system survivability given possible attacks. Our model is the first of its kind to formally represent and simulate attacks on RFID systems and to quantitatively measure the degree of survivability of an RFID system under those attacks.