National Cybersecurity
Ballenstedt, B. (2012, February 15). Agencies struggle to hire cyber professionals. NextGov. Retrieved from http://wiredworkplace.nextgov.com/2012/02/agencies_struggle_in_hiring_cyber_pros.php
The federal government is doing a great job retaining cybersecurity
professionals once they're in federal jobs. The challenge for most
agencies is finding and hiring qualified candidates, a new survey
suggests. According to the 2012 Career Impact Survey, released Tuesday
by (ISC)2, federal cybersecurity professionals are experiencing nearly
full employment as well as career advancement opportunities and salary
increases in 2011. The survey of 545 federal cybersecurity pros found
that 97 percent are currently employed, and only 8 percent were
unemployed at any point in 2011. Cybersecurity pros also are seeing pay
raises, with 62 percent receiving a salary increase in 2011 and 48
percent expecting one in 2012. Eleven percent of respondents said they
received salary increases of 10 percent or higher last year.
Global Cybersecurity
& broadly applicable items
Alberts, C. J., Allen, J. H., & Stoddard, R. W. (2012, February). Risk-based measurement and analysis: Application to software security (Technical Note 2012-TN-004). Retrieved from http://www.sei.cmu.edu/reports/12tn004.pdf
For several years, the software engineering community has been working to identify practices aimed at developing more secure software. Although some foundational work has been performed, efforts to measure software security assurance have yet to materialize in any substantive fashion. As a result, decision makers (e.g., development program and project managers, acquisition program offices) lack confidence in the security characteristics of their software-reliant systems. The CERT Program at Carnegie Mellon University's Software Engineering Institute (SEI) has chartered the Software Security Measurement and Analysis (SSMA) Project to advance the state-of-the-practice in software security measurement and analysis. The SSMA Project is exploring how to use risk analysis to direct an organization's software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex software-reliant systems across the life cycle and supply chain. To accomplish this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and refined the SEI Mission Risk Diagnostic (MRD). This report is an update to the technical note, Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025), published in September 2010. This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.
Anonymous mischief continues: Stock exchanges face DDos attacks. (2012, February 16). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23961/anonymous-mischief-continues-us-stock-exchanges-face-ddos-attacks/
The hacktivist group Anonymous launched distributed denial of service (DDoS) attacks on a number of major stock exchanges this week, continuing its reign of information security mischief. The DDoS attacks intermittently took offline the websites of Nasdaq and the BATS Stock Exchanges earlier this week, although none of the exchanges’ trading systems were affected, according to a Reuters report. The Chicago Board Options Exchange website was also taken offline, an exchange spokesperson told Threatpost.
Antunes, N., & Viera, M. (2012). The devils behind web application vulnerabilities. Computer (preprint). doi:http://doi.ieeecomputersociety.org/10.1109/MC.2011.259 [Full text available in the IEEE Computer Science Digital Library database.]
Web applications are frequently deployed with critical security bugs that can be maliciously exploited. Avoiding such vulnerabilities depends on the best practices and tools applied during implementation, testing and deployment phases of the software development cycle. However, many times those practices are disregarded, as developers are frequently not specialized in security and face hard time-to-deploy constraints. Furthermore, the poor efficiency of existing automatic vulnerability detection and mitigation tools opens the door for the deployment of insecure web applications. Realizing the full benefits of secure coding and the limitations of existing tools requires rethinking the way we build web applications. This paper [discusses] the devils behind the security of such applications.
Cyberwar between India and Bangladesh escalates. (2012, February 16). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23956/cyberwar-between-india-and-bangladesh-escalates/
Bangladeshi hackers have been hacking Indian sites, and Indian hackers have been hacking Bangladeshi sites. Now it is escalating as each side calls for ‘cyberwar’ against the other. A week ago the Indian Hackers group announced a ‘cyberwar’ against Bangladesh. This was quickly followed by news that a hacker calling himself ‘Silent Hacker’ had defaced 30 Bangladeshi government websites. Bangladeshi groups hit back. A day later, more than 300 Indian sites were attacked. The Bangladesh Cyber Army posted to Pastebin a list of more than 250 sites it claimed to have hacked. Another list of more than 30 Indian government sites claimed to have been ‘downed by the Bangladesh Cyber Army’ was pasted on 11 February. DDoS is the main method of attack.
Gorman, C. (2012, February 14). Chinese hackers suspected in longterm Nortel breach. Wall Street Journal, p. A1. [Full text available in the Wall Street Journal database.]
For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times. Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers -- who appeared to be working in China -- penetrated Nortel's computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.
O'Connor, C. (2012, February 14). The Jester dynamic: A lesson in asymmetric unmanaged cyberwarfare. Retrieved from http://www.sans.org/reading_room/whitepapers/attacking/jester-dynamic-lesson-asymmetric-unmanaged-cyber-warfare_33889
Sophisticated and complex to implement, long-term cyberattacks are often considered the work of intelligence agencies and crime syndicates. However, the oversight and bureaucracy that comes from such management often hinders the ultimate lethality of the attack. In this paper, we will examine the significant impact a lone-wolf patriot hacker has had over the course of the last two years, and what important lessons we can learn from him on how to wage a successful fight in this domain.
Sengupta, S. (2012, February 15). Criminals exploit stolen customer data from Stratfor. New York Times. Retrieved from http://bits.blogs.nytimes.com/2012/02/15/criminals-exploit-stolen-customer-data-from-stratfor
It began as a case of political hacktivism. Late last year, under the banner of the loose collective known as Anonymous, hackers broke into the systems of Stratfor Global Intelligence Service, a company that analyzes geopolitical risks worldwide. They stole the names, e-mail addresses and credit card numbers of thousands of its subscribers and posted them online for all to see. That information apparently became lucre for criminals with commercial goals. Stratfor customers began receiving e-mails from what, at first glance, looked like Stratfor. An attached PDF file came with what looked like Stratfor letterhead. It warned of the risk of “harmful software” and asked the user to download an antivirus program by clicking on an embedded link. As it turns out, the link downloaded a piece of malicious software. It was detected by Microsoft’s Malware Protection Center, which posted about it on its blog this week.
Wightman, R. (2012, February 14). Valentine's day SCADA tools release. Retrieved from http://www.digitalbond.com/2012/02/14/valentines-day-scada-tools-release/
Free suite of tools designed to expose security flaws in industrial control systems from researchers at Digital Bond.
