January 27, 2012

National Cybersecurity

United States. Executive Office of the President. (2012, January). National strategy for global supply chain security. Retrieved from https://www.hsdl.org/?view&did=698202

A strategy for insuring the security and resiliency of "the worldwide network of transportation, postal, and shipping pathways, assets, and infrastructures by which goods are moved from the point of manufacture until they reach an end consumer, as well as supporting communications infrastructure and systems."

Global Cybersecurity 
& broadly applicable items

Alsaleh, M., Mannan, M., & Oorschot, P. C. (2012). Revisiting defenses against large-scale online password guessing attacks. IEEE Transactions in Secure and Dependable Computing, 9(1), 128-141. [Full text available in the IEEE Computer Science Digital Library database.]

Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address large-scale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals.

Bryan-Low, C. (2012, January 23). Hackers-for-hire are easy to find. Wall Street Journal. Retrieved from http://online.wsj.com/article/SB10001424052970203471004577145140543496380.html

Sitting in his Los Angeles home, Kuwaiti billionaire Bassam Alghanim received an alarming call from a business associate: Hundreds of his personal emails were posted online for anyone to see.  Mr. Alghanim checked and found it to be true, according to a person familiar with the matter. The emails included information on his personal finances, legal affairs, even his pharmacy bills, this person said.  That led to another surprise. Mr. Alghanim discovered the person who had allegedly commissioned the hackers was his own brother, with whom he is fighting over how to divide up billions of dollars of joint assets. Mr. Alghanim's lawyers allege in court filings that the brother hired investigators to illegally access his email with the help of Chinese hackers. Cost to hire the hackers: about $400.

Cappelli, D., Moore, A. P., Trzeciak, R. F. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Boston, MA: Addison-Wesley Professional. [E-book available in the Safari Books Online database.]

This book ... conveys the big picture of the insider threat problem over time: the complex interactions and unintended consequences of existing policies, practices, technology, insider mindsets, and organizational culture. Most important, it offers actionable recommendations for the entire organization, from executive management and board members to IT, data owners, HR, and legal departments.

Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81. [Full text available in the ACM Digital Library database.]

On the surface, phishing attacks may seem to be a variant of spam. However,
such attacks can lead to damaging losses in terms of identity theft, sensitive intellectual property and customer information, and national-security secrets. Phishing attacks are also increasingly pervasive and sophisticated. Phishing has spread beyond email to include VOIP, SMS, instant messaging, social networking sites, and even massively multiplayer games. Criminals have also shifted from sending mass-email messages, hoping to trick anyone, to more selective “spearphishing” attacks that use relevant contextual information to trick specific victims.

IT security budgets are expected to rise this year. (2012, January 25). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23474/it-security-budgets-are-expected-to-increase-this-year/

More than half of organizations expect to increase their information security spending in 2012, some by 8% of more, according to a survey by the Enterprise Strategy Group (ESG). In addition, information security initiatives were identified by IT professionals as one of the top five IT priorities for 2012.  ESG also found that 35% of organizations plan to hire additional security staff; 23% of organizations believe that there is a “problematic shortage” of security skills in their organization.

King, C. (2012, January). Spotlight on: Malicious insiders and organized crime activity (CMU/SEI-2012-TN-001). Retrieved from http://www.sei.cmu.edu/library/abstracts/reports/12tn001.cfm?WT.DCSext.abstract

The focus of this report is on current or former employees, contractors, or business partners who were affiliated with, or are considered to be part of, organized crime. The case material came from a mixture of court documents, Department of Justice press releases, interviews, and media reports. This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why. This report concludes with a summary of the relevant details of the highlighted cases and offers recommendations that could potentially mitigate the risk of similar occurrences.

NQ Mobile / National Cybersecurity Alliance. Report on consumer behaviors and perceptions of mobile security. Retrieved from http://docs.nq.com/NQ_Mobile_Security_Survey_Jan2012.pdf

From a related Infosecurity article: "The report, conducted independently, surveys 1,158 American smartphone users and provides a thorough and sometimes surprising insight into consumers’ attitudes toward and understanding of mobile security. It highlights, for example, that business really should be concerned about the security implications of evolving consumerization (or ‘bring your own device’) in the workplace."

Perlroth, N. (2012, January 22). Flaws in videoconferencing may open up board room to hackers. New York Times. [Full text available in the New York Times database.]

One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.  With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

Rockwell, M. (2012, January 23).  LANL says researchers have developed rock-solid quantum cryptography for handheld device. Government Security News. Retrieved from http://www.gsnmagazine.com/node/25496

Researchers at the Los Alamos Nuclear Laboratory have developed a miniature transmitter that can bring strong security to handheld devices like tablet computers or smart phones and could replace a range of security systems, including those at border crossings.  The laboratory said on Jan. 20 that it had developed a miniature transmitter that communicates with a trusted authority to generate random cryptographic keys to encode and decode information. Researchers at the lab said the technology was “an impenetrable line of defense” called the QKarD (Quantum Smart Card) that loads quantum cryptography onto a smart card or smart phone.

Zettrer, K. (2012, January 24). 10K reasons to worry about critical infrastructure. Wired. Retrieved from http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/

A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.  Infrastructure software vendors and critical infrastructure owners have long maintained that industrial control systems  . . . are not at risk of penetration by outsiders because they’re “air-gapped” from the internet — that is, they’re not online.  But Eireann Leverett, a computer science doctoral student at Cambridge University, has developed a tool that matches information about ICSes that are connected to the internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target an industrial control system.

Zuo, Y. (2012). Survivability experiment and attack characteristics for RFID. IEEE Transactions in Secure and Dependable Computing, 9(2), 289-302. [Full text available in the IEEE Computer Science Digital Library database.]

Radio Frequency Identification (RFID) has been developed as an important technique for many high security and high integrity settings. In this paper, we study survivability issues for RFID. We first present an RFID survivability experiment to define a foundation to measure the degree of survivability of an RFID system under varying attacks. Then we model a series of malicious scenarios using stochastic process algebras and study the different effects of those attacks on the ability of the RFID system to provide critical services even when parts of the system have been damaged. Our simulation model relates its statistic to the attack strategies and security recovery. The model helps system designers and security specialists to identify the most devastating attacks given the attacker's capacities and the system's recovery abilities. The goal is to improve the system survivability given possible attacks. Our model is the first of its kind to formally represent and simulate attacks on RFID systems and to quantitatively measure the degree of survivability of an RFID system under those attacks.

January 20, 2012

National Cybersecurity

Rockwell, M. (2012, January 17). DHS cyber security operations see leadership changes. Government Security News. Retrieved from http://www.gsnmagazine.com/node/25449

The Department of Homeland Security’s cyber security organization saw the retirement of one of its leaders on Jan. 13, but also the appointment of a new director on the same day.  In a blog post, DHS Deputy Secretary Jane Holl Lute thanked Rear Admiral Mike Brown for his service as the deputy assistant secretary for cyber security and communications. In a following post, Deputy Under Secretary for Cybersecurity Mark Weatherford said John Streufert was appointed as the new director of the cybersecurity and communications (CS&C)’s national cybersecurity division.

Strohm, C., & Lerman, D. (2011, January 15). Pentagon interest in cybersecurity may ease contractors' pain from cuts. Washington Post. Retrieved from http://www.washingtonpost.com/business/economy/pentagon-interest-in-cybersecurity-may-ease-contractors-pain-from-cuts/2012/01/12/gIQAFbPe1P_story.html

Plans by the Pentagon to invest more in cybersecurity and space-based capabilities may ease the blow for defense contractors such as Northrop Grumman and Lockheed Martin that are facing cuts in other programs. The Defense Department intends to beef up spending on computer network protections and satellite intelligence systems while targeting troops for cuts under a global strategy released last week. Funding levels, which were not specified, will be detailed in next month’s federal budget proposal.

Global Cybersecurity 
& broadly applicable items

Bahadur, G., Inasi, J., & Carvalho, A. (2012). Securing the clicks: Network security in the age of social media. New York, NY: McGraw-Hill / Osbourne. [E-book available via the Books 24x7 database.]

Explaining the latest threats along with detailed fixes, best practices, and "from the headlines" case studies, this comprehensive guide will show you how to analyze risk, implement robust security protocols, and enforce social media usage policies.

Garber, L. (2012, January). The challenges of securing the virtualized environment. Computer, 45(1), 17-20. doi:10.1109/MC.2012.27 [Full text available in the IEEE Computer Science Digital Library database.]

As virtualization has become more popular, concern over the technology's security has grown. Traditional security techniques often don't work well with virtualization, so vendors are trying different approaches.

Johnson, C. (2012). CyberSafety: Cybersecurity and safety-critical software engineering. Paper to be presented at the 20th Safety-Critical Systems Symposium, Bristol, England. Retrieved from http://goo.gl/pra1x

A range of common software components are gradually being integrated into the infrastructures that support safety critical systems. These include network management tools, operating systems especially Linux, Voice Over IP (VOIP) communications technologies, and satellite based augmentation systems for navigation/timing data etc. The increasing use of these common components creates concerns that bugs might affect multiple systems across many different safety related industries. It also raises significant security concerns. Malware has been detected in power distribution, healthcare, military and transportation infrastructures. Most previous attacks do not seem to have deliberately targeted critical applications. However, there is no room for complacency in the face of increasing vulnerability to cyber attacks on safety-related systems. This paper illustrates the threat to air traffic management infrastructures and goes on to present a roadmap to increase our resilience to future CyberSafety attacks. Some components of this proposal are familiar concepts from Security Management Systems (SecMS), including a focus on incident reporting and the need for improved risk assessment tools. Other components of the roadmap focus on structural and organizational problems that have limited the effectiveness of existing SecMS; in particular there is a need to raise awareness amongst regulators and senior management who often lack the technical and engineering background to understand the nature of the threats to safety-critical software.

Mobile devices in the workplace cause more security breaches, say firms. (2012, January 20). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23350/mobile-devices-in-the-workplace-cause-more-security-breaches-say-firms/

Close to three-quarters of businesses believe mobile devices have caused an increase in security incidents, according to a survey sponsored by IT security firm Check Point Software Technologies. The 750 IT and security professionals surveyed by Dimensional Research on behalf of Check Point cited significant security concerns about the loss of sensitive information stored on employee mobile devices, including corporate email (79%), customer data (47%) and network login credentials (38%).

Ning, H., & Liu, H. (2012). Cyber-physical-social based security architecture for future internet of things. Advances in Internet of Things, 2, 1-7. doi:10.4236/ait.2012.21001 [Full text.]

As the Internet of Things (IoT) is emerging as an attractive paradigm, a typical IoT architecture that U2IoT (Unit IoT and Ubiquitous IoT) model has been presented for the future IoT. Based on the U2IoT model, this paper proposes a cyber-physical-social based security architecture (IPM) to deal with Information, Physical, and Management security perspectives, and presents how the architectural abstractions support U2IoT model. In particular, 1) an information security model is established to describe the mapping relations among U2IoT, security layer, and security requirement, in which social layer and additional intelligence and compatibility properties are infused into IPM; 2) physical security referring to the external context and inherent infrastructure are inspired by artificial immune algorithms; 3) recommended security strategies are suggested for social management control. The proposed IPM combining the cyber world, physical world and human social provides constructive proposal towards the future IoT security and privacy protection.

Pingree, L., & McDonald, N. (2012, January 18). Best practices for mitigating advanced persistent threats. [Full text available in the Gartner database.]

Many security practitioners see the term "advanced persistent threat" (APT) as primarily a marketing term and do not acknowledge that there are advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems. Organizations face an evolving threat scenario that they are ill-prepared to deal with. They must respond to these threats with the proper techniques and technologies. This research will enable security practitioners to understand the new threats they face and the best-practice steps they must take in order to reduce the risk of compromise against the advanced adversaries taking direct aim at their organizations.

Sridhar, S., Govindarasu, M., & Liu, C. (2012). Risk analysis of coordinated cyber attacks on power grid. Power Electronics and Power Systems, 3(3), 275-294. doi:10.1007/978-1-4614-1605-0_14 [Full text can be requested via UMUC DocumentExpress.]

The supervisory control and data acquisition (SCADA) network provides adversaries with an opportunity to perform coordinated cyber attacks on power system equipment as it presents an increased attack surface. Coordinated attacks, when smartly structured, can not only have severe physical impacts, but can also potentially nullify the effect of system redundancy and other defense mechanisms. This chapter proposes a vulnerability assessment framework to quantify risk due to intelligent coordinated attacks, where risk is defined as the product of probability of successful cyber intrusion and resulting power system impact. The cyber network is modeled using Stochastic Petri Nets and the steady-state probability of successful intrusion into a substation is obtained using this. The model employs a SCADA network with firewalls and password protection schemes. The impact on the power system is estimated by load unserved after a successful attack. The New England 39-bus system is used as a test model to run Optimal Power Flow (OPF) simulations to determine load unserved. We conduct experiments creating coordinated attacks from our attack template on the test system and evaluate the risk for every case. Our attack cases include combinations of generation units and transmission lines that form coordinated attack pairs. Our integrated risk evaluation studies provide a methodology to assess risk from different cyber network configurations and substation capabilities. Our studies identify scenarios, where generation capacity, cyber vulnerability, and the topology of the grid together could be used by attackers to cause significant power system impact.  

Zetter, K. (2012, January 19). Hoping to teach a lesson, researchers release exploits for critical infrastructure software. Wired. Retrieved from http://www.wired.com/threatlevel/2012/01/scada-exploits/#more-36404

A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they’re patched or taken offline. The vulnerabilities were found in widely used programmable logic controllers (PLCs) made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.

January 13, 2012

National Cybersecurity

Nakashima, E. (2012, January 12). Cyber defense effort is mixed, study finds. Washington Post. Retrieved from http://www.washingtonpost.com/world/national-security/cyber-defense-effort-is-mixed-study-finds/2012/01/11/gIQAAu0YtP_story.html

A Pentagon pilot program that uses classified National Security Agency data to protect the computer networks of defense contractors has had some success but also has failed to meet some expectations, according to a study commissioned by the Defense Department.

Perloth, N. (2012, January 12). Malicious software attacks security cards used by Pentagon. New York Times. Retrieved from http://bits.blogs.nytimes.com/2012/01/12/malicious-software-attacks-security-cards-used-by-pentagon/

Chinese hackers have deployed a new cyber weapon that is aimed at the Defense Department, the Department of Homeland Security, the State Department and potentially a number of other United States government agencies and businesses, security researchers say.  Researchers at AlienVault, a Campbell, Calif., security company, said on Thursday that they had uncovered a new variant of some malicious software called Sykipot that targets smart cards used by government employees to access restricted servers and networks. Traces of Sykipot malware have been found in cyberattacks dating back to 2006, but AlienVault’s researchers say this is the first time Sykipot has compromised smart cards.

Sternstein, A. (2012, January 3). Cyber spies try probing U.S. drone plans. Nextgov. Retrieved from http://www.nextgov.com/nextgov/ng_20120103_5731.php

China-based hackers for months have been targeting federal agencies and contractors through infected emails apparently to spy on the Pentagon's drone strategy and other intelligence matters, according to Internet security researchers. The reported espionage employed a tactic known as spear-phishing where infiltrators, operating under the guise of a legitimate sender, email specific victims a virus-laden file or link. In this case, the hackers used email addresses from military and other government organizations, Jaime Blasco, manager of AlienVault Labs, said Tuesday.

United States. Government Accountability Office. (2011, December). Critical infrastructure protection: Cybersecurity guidance Is available, but more can be done to promote its use (GAO-12-82). Retrieved from http://www.gao.gov/products/GAO-12-92

Reviews currently available guidance and makes recommendations for improving ease of application. [Related article from Infosecurity.]

Global Cybersecurity

& broadly applicable items

Carr, J. (2011). Inside cyber warfare (2nd ed.). Sebastapol. CA: O'Reilly Media. [E-book available in the Safari Books Online database.]

Inside Cyber Warfare provides fascinating and disturbing details on how nations, groups, and individuals throughout the world use the Internet as an attack platform to gain military, political, and economic advantages over their adversaries. The second edition goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet. It also includes a Forward by Secretary Michael Chertoff and a guest essay by Melissa Hathaway, among others.

Economist Intelligence Unit. (2012). Cyber power index: Measuring the drivers of cyber power across the G20 countries [online tool]. Retrieved from http://www.cyberhub.com/CyberPowerIndex

The purpose of the Cyber Power Index is to benchmark the ability of the G20 countries to withstand cyber attacks and to deploy the digital infrastructure needed for a productive economy. In doing so, the index measures both the success of digital uptake and the degree to which the economic and regulatory environment promotes national cyber power.  The index is developed as an interactive quantitative and qualitative scoring model constructed from the following four categories:

• Legal and Regulatory Framework
• Economic and Social Context
• Technology Infrastructure
• Industry Application

[Related article from Military Technology News.]

Malicious URLs being disguised by QR codes. (2012, January 12.) Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23182/malicious-urls-being-disguised-by-qr-codes/

QR codes, a square pattern of black dots on a white background, are a form of barcode originally developed to track automotive parts during manufacture. Their fast readability, versatility and storage capacity have made them popular in many areas, and not least within mobile phones. “In many ways it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes,” says Websense researcher Elad Sharf. “The advantage QR codes have over bit.ly is that it is a fast growing and marketing technology that currently has an inherent level of trust and novelty for consumers.”

Nye, J. S., Jr. (2011, Winter).  Nuclear lessons for cybersecurity? Strategic Studies Quarterly, 5(4), 18-38. Retrieved from http://www.au.af.mil/au/ssq/2011/winter/nye.pdf

After a short overview of the problem of cyber security . . .  I will suggest several general lessons and then discuss a number of international lessons that can be learned from the nuclear experience. While the two technologies are vastly different, as I will argue below, there are nonetheless useful comparisons one can make of the ways in which governments learn to respond to technological revolutions.

Ren, K., Wang, C., & Wang, Q. (2011, January-February). Security challenges for the public cloud. IEEE Internet Computing, 16(1), 69-73. [Full text available in the IEEE Computer Science Digital Library database.]

Cloud computing represents today's most exciting computing paradigm shift in information technology. However, security and privacy are perceived as primary obstacles to its wide adoption. Here, the authors outline several critical security challenges and motivate further investigation of security solutions for a trustworthy public cloud environment.

Song, D., Shi, E., Fischer, I., & Shankar, U. (2012, January). Cloud data protection for the masses. Computer, 45(1), 39-45. [Full text available in the IEEE Computer Science Digital Library database.]

Offering strong data protection to cloud users while enabling rich applications is a challenging task. Researchers explore a new cloud platform architecture called Data Protection as a Service, which dramatically reduces the per-application development effort required to offer data protection, while still allowing rapid development and maintenance.

January 6, 2012

National Cybersecurity

Most users have not installed security software on their smartphones, survey finds. (2012, January 5). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23002/most-users-have-not-installed-security-software-on-their-smartphones-survey-finds/

Nearly three-quarters of Americans have never installed data protection applications or security software on their smartphones to protect against data loss or malware, according to a survey sponsored by the National Cyber Security Alliance (NCSA) and McAfee. In addition, 70% of smartphone owners surveyed said they feel their device is safe from hackers, malware, and other types of cybercrime, according to a survey of 2,337 US adults conducted by Zogby International for NCSA and McAfee.

Norton, Q. (2011, December 26). Antisec hits private intel firm; millions of documents allegedly lifted. Wired. Retrieved from http://www.wired.com/threatlevel/2011/12/antisec-hits-private-intel-firm-million-of-docs-allegedly-lifted/

The Antisec wing of Anonymous revealed on Saturday that it had compromised the servers of the private intelligence firm Strategic Forecasting Inc. — allegedly seizing millions of internal documents and thousands of credit card numbers from the company, more commonly known as Stratfor.  That would be a major breach of private information from any firm. But this hack could prove particularly significant, because Stratfor serves as an information-gathering resource and open source intelligence analysis for both the U.S. military and for major corporations. [Related article from the New York Times.]

Rockwell, M. (2012, January 6). Energy Department launches cyber protection initiative for electrical grid. Government Security News. Retrived from http://www.gsnmagazine.com/node/25378

U.S. Energy Secretary Steven Chu unveiled an initiative on Jan. 5 to further protect the electrical grid from cyber attacks, dubbed the “Electric Sector Cyber security Risk Management Maturity” project.  The White House initiative, said Chu in a statement, is led by the Department of Energy (DOE) in partnership with the Department of Homeland Security (DHS) and will leverage private industry and public sector experts to build on existing cyber security measures and strategies to construct a more comprehensive and consistent approach to protecting the nation’s energy delivery system.

Enterprise Cybersecurity

Jackson, S., Gold, S., & Vael, M. (2011, December 13). How to protect your organization from multi-vectored threats [recorded webinar].  Retrieved from http://www.infosecurity-magazine.com/webinar/279/how-to-protect-your-organisation-from-multivectored-threats/

Multi-layered IT security used to be optimum method of raising the bar on your IT security defences, but the advent of multi-vectored threats, phishing and all manner of cyber-criminality means that a consolidated approach is now the best option – especially now that the latest appliances can be controlled from a single dashboard. But what makes an effective strategy on consolidated security? And what is the best planning approach? Join us for an informative 60-minute webinar in which our panel of experts will explain the best strategies for selecting and deploying the latest appliance technologies, as well as how to augment existing systems on an evolutionary – rather than revolutionary – approach.

Global Cybersecurity

& broadly applicable items

European Network and Information Security Agency. (2011, November). Analysis of cybersecurity aspects in the maritime sector. Retrieved from http://www.enisa.europa.eu/media/press-releases/first-eu-report-on-maritime-cyber-security

The maritime sector is critical for the European society. Recent statistics show that within Europe, 52%1 of the goods traffic in 2010 was carried by maritime transport, while only one decade ago this was only 45%. This continuous increase in dependency upon the maritime transport underlines its vital importance to our society and economy. As it can be observed in other economic sectors, maritime activity increasingly relies on Information Communication and Technology (ICT) in order to optimize its operations. ICT is increasingly used to enable essential maritime operations, from navigation to propulsion, from freight management to traffic control communications, etc.   These last years have also shown that cyber threats are a growing menace, spreading in all industry sectors that progressively rely on ICT systems.

European Network and Information Security Agency. (2011, December 19). Economics of security: Facing the challenges. Retrieved from http://www.enisa.europa.eu/act/rm/files/EoS%20Final%20report

This ENISA report is part of the work conducted within the ENISA Work Programme 2011. Within this effort, ENISA has analysed economic drivers and barriers in a number of areas (including policy, research, technology and business) and has identified potential areas of improvement to boost security and resilience in public systems and networks and consequently to relevant products and services by taking into account the economic dimension. This effort contributes to the identification of topics in the area of Economics of Security in line with the efforts for boosting Europe’s economic performance and introduction of measures to reinforce the benefits of the single market as announced in the Digital Agenda for Europe.

Kapersky Lab. (2011, October-December). The mystery of Duqu (1, 2, 3, 4, 5, 6, 7). Retrieved from https://www.securelist.com

Detailed analysis of the Duqu trojan.  The authors conclude that Duqu and Stuxnet were created by the same developer. [Related article from Infosecurity.]

McAfee Labs. (2011, December 28). 2012 threat predictions. Retrieved from http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2012.pdf

Predicting future threats can be a hit-or-miss exercise for a security research

organization. Certainly it is interesting to put on our wizard hats and prognosticate about what may happen in the coming months, but how much do threats really change each year? The past 12 months were a transformative year in many ways, but were these transformations revolutionary or evolutionary? We saw great changes in mobile threats, hacktivism, client-side exploitation, social-media exploitation, and targeted attacks. Many of these changes and trends will continue to influence the threats landscape for years to come.

Nordell, D. E. (2012, February). Terms of protection: The many faces of smart grid security. IEEE Power and Energy Magazine, 10(1), 18-23. Retrieved from http://magazine.ieee-pes.org/files/2011/12/10mpe01-nordell.pdf

A critical consideration in the development of smarter electrical grids is to ensure best security practices. Few terms in the smart grid vocabulary, however, are as overworked and overloaded (i.e., assigned multiple definitions) as the word security. Such definitions range all the way from ensuring reliability—keeping the lights on—to protecting the confidentiality of customer information. This article will attempt to explore these multiple definitions and find some common thread that can help ensure the success of the pursuit of a smarter electrical grid while maintaining security—in all of its various meanings.

O'Brien, K. J. (2011, December 25). Lax security exposes voice mail to hacking. New York Times. Retrieved from http://www.nytimes.com/2011/12/26/technology/26iht-hack26.html

It may be tempting to view the illegal interception of telephone voice mails, a practice that has roiled Britain and the News Corp. media empire of Rupert Murdoch, as an arcane tool employed by scofflaw journalists with friends in Scotland Yard. But according to a study to be presented Tuesday, cellphone users in Europe and the rest of the world may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked — or worse — because of outdated mobile network security.

Saurabh, A. (2011). On cyber security for networked control systems (Doctoral dissertation). University of California, Berkeley, CA. [Full text  available in the Dissertations and Theses database.]

The instrumentation of infrastructure systems by embedded sensors, computation, and communication networks has enabled significant advances in their management. Examples include monitoring of structural health, traffic congestion, environmental hazards, and energy usage. The use of homogeneous (especially, commercially available off-the-shelf) information technology (IT) solutions makes infrastructure systems subject to correlated hardware malfunctions and software bugs. Over the past decade, many concerns have been raised about the vulnerabilities of infrastructure systems to both random failures and security attacks. Cyber-security of Supervisory Control and Data Acquisition (SCADA) systems is especially important, because these systems are employed for sensing and control of large physical infrastructures. So far, the existing research in robust and fault-tolerant control does not account for cyber attacks on networked control system (NCS) components. Also, the existing research in computer security neither considers the attacks targeting NCS components nor accounts for their interactions with the physical system. The goal of this thesis is to bridge this gap by focusing on (1) security threat assessment, (2) model-based attack diagnosis, and (3) resilient control design.

Seo, H., & Choy, Y. (201 ). Criteria for comparing cyberwarfare ability. Lecture Notes in Electrical Engineering, 120, 111-120. Retrieved from http://goo.gl/FijPL

We are in cyber war age. New research tries [sic] are done in the area of concept, weapons, capability, and so on for cyber war. Most nations want to know the capability and vulnerable areas for preparing cyber war. In order to get this object, we selected criteria items for comparing nations’ cyberwar capability. A few pilot nations’ capability information was gathered through open information according to the proposed criteria. The more exact interpretation and understanding for each nation’s capability including vulnerable area can be caught with the proposed criteria.

Stewart-Smith, H. (2012, January 4). Japan develops virus to counter cyber-attacks: But can it be used? ZDNet. Retrieved from http://www.zdnet.com/blog/asia/japan-develops-virus-to-counter-cyber-attacks-but-can-it-be-used/635

The Japanese Ministry of Defense has revealed its latest project to tackle hacking: a ’seek and destroy’ virus designed to track and disable the source of cyber-attacks. The project, launched in 2008, cost $2.3 million over three years. Several companies competed for the contract, but Fujitsu was eventually commissioned to develop the new ‘cyberweapon’. The virus has already undergone testing in a closed network environment. ... Unfortunately, Japan’s Ministry of Defense still has several hurdles to jump before this project can be utilised.