National Cybersecurity
Heat wave: US administration tries to 'stimulate' support for Senate cybersecurity bill. (2012, March 8). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24411/heat-wave-us-administration-tries-to-simulate-support-for-senate-cybersecurity-bill/
The Obama administration on Wednesday simulated a cyber attack on the New York City power grid during a summer heat wave in an effort to convince US senators to pass comprehensive cybersecurity legislation. The Justice Department, the FBI, the National Security Agency, and the Department of Homeland Security (DHS) conducted the simulation during a briefing with senators hosted by Sen. Jay Rockefeller (D-W.Va.), one of the sponsors of the administration-backed Cybersecurity Act introduced last month.
The demonstration was “intended to provide all senators with an appreciation for new legislative authorities that could help the U.S. government prevent and more quickly respond to cyber attacks”, Caitlin Hayden, a White House spokeswoman, told Bloomberg in an e-mail.
Krekel, B., Adams, P., & Bakos, J. (2012, March 7). Occupying the information high ground: Chinese capabilities for computer network operations and cyber espionage. Retrieved from http://goo.gl/fL9xo
The present study is intended to be a detailed follow up and expansion upon a 2009 assessment prepared for the U.S.-China Economic and Security Review Commission of China’s evolving computer network operations capabilities and network intrusion incidents attributed to China. Concern in the United States over alleged Chinese penetrations of both commercial and government networks has only intensified in the past two years as successive incidents have come to light in the media and more organizations voluntarily come forward. The Commission requested a study that both reviewed developments since the 2009 study was completed and examined new issues related to cybersecurity, China, and potential risks to U.S. interests.
Norton, Q. (2012, March 7). Anonymous rocked by news that top hacker snitched to feds. Wired. Retrieved from http://www.wired.com/threatlevel/2012/03/anonymous-sabu-reaction/
On the heels of 25 arrests of Spanish-speaking anons last week, Anonymous was rocked Tuesday by the news that Hector Xavier Monsegur, the legal name of prominent antisec known as Sabu, has been cooperating with the FBI to hunt down other anon hackers from Lulzsec and Antisec.
The chatter on the anon IRC servers and anon-associated Twitter accounts ranged Tuesday from denial about Sabu’s involvement to outrage and hatred for Monsegur. One who worked with Sabu as part of Antisec, the miltant and pranksterish arm of Anonymous, described themselves as “emotionally devastated” and “shocked” by the news. [More from the New York Times.]
Shakelford, S. J. (2012). In search of cyber peace: A response to the Cybersecurity Act of 2012. Stanford Law Review, 64(2), 106-111. Retrieved from http://www.stanfordlawreview.org/sites/default/files/online/articles/64-SLRO-106.pdf
The Cybersecurity Act of 2012, which was recently introduced in the Senate Homeland Security and Governance Affairs Committee, is the latest legislative attempt to enhance the nation’s cybersecurity. If enacted, the bill would grant new powers to the Department of Homeland Security (DHS) to oversee U.S. government cybersecurity, set “cybersecurity performance requirements” for firms operating what DHS deems to be “critical infrastructure,” and create “exchanges” to promote information sharing. In its current form, the bill is a useful step in the right direction but falls short of what is required. Fundamentally the bill misconstrues the scale and complexity of the evolving cyber threat by defining critical infrastructure too narrowly and relying too much on voluntary incentives and risk mitigation strategies. The Act might improve on the status quo, but it will not foster genuine and lasting cybersecurity. Still, it is preferable to the softer alternative SECURE IT Act proposed by senior Republicans.
Enterprise Cybersecurity
Herold, R. (2011). Managing an information security and privacy awareness and training program (2nd ed.). Boca Raton, FL: Auerbach Publications. [Full text available in Books 24x7 database.]
Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies.
McAfee. (2012, March). State of security 2012. Retrieved from http://www.mcafee.com/us/resources/white-papers/wp-state-of-security.pdf
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest risk to their business. This global study highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012.
Global Cybersecurity
& broadly applicable items
& broadly applicable items
Arquilla, J. (2012, March-April). Cyberwar is already upon us. Foreign Policy. Retrieved from http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_upon_us?page=full
In the nearly 20 years since David Ronfeldt and I introduced our concept of cyberwar, this new mode of conflict has become a reality. Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.
Chrome browser cracked in two hacker contests. Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24421/chrome-browser-cracked-in-two-hacker-contests/
Google’s Chrome browser was compromised twice this week, once in a Google-sponsored contest and the second time in the Pwn2Own hacker contest at CanSecWest. Researcher Sergey Glazunov hacked the Chrome browser using two vulnerabilities, earning $60,000 out of the $1 million possible purse in the Google-sponsored Pwnium contest.
European Network and Security Agency. (2012, February 29). Cyber Atlantic 2011: Evaluation report. Retrieved from http://www.enisa.europa.eu/activities/res/ca2011/ca2011-report
Following an EU–US commitment to foster greater efforts and cooperation on cyber security at the EU–US Lisbon summit in November 2010, the first joint cyber security exercise between the EU and US was delivered on 3 November 2011 in Brussels, supported by the European Network and Information Security Agency (ENISA) and the US Department of Homeland Security. The day-long table-top exercise, Cyber Atlantic 2011, drew involvement from more than 20 EU Member States, 16 of which were engaged in active participation together with the US. This report summarises the main observations, findings and recommendations from Cyber Atlantic 2011.
Fisher, D. A. (2012, March.) Principles of trust for embedded systems (CMU/SEI-2012-TN-007). Retrieved from http://www.sei.cmu.edu/reports/12tn007.pdf
The development of trusted systems is a long-standing, elusive, and ill-defined objective in many domains. This paper gives substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems and to embedded systems in particular. Principles of trust are identified. Some of their implications for software engineering practice and for the design of hardware-based trusted computing platforms are also discussed.
Goodwin, J. (2012, March 6). Experts at RSA 2012 see cyber security at a major crossroads. Government Security News. Retrieved from http://www.gsnmagazine.com/node/25766
Amid the buoyancy and hoopla so evident at the mammoth RSA cyber security conference in San Francisco last month was the nagging sense that governments and commercial enterprises in the U.S. are losing the cyber war being conducted so relentlessly by their Web-based adversaries.
Jianping, L., Mingu, L., Densheng, W., & Song, H. (2012). An integrated risk measurement and optimization model for trustworthy software process management. Information Sciences, 191, 47-60. doi:10.1016/j.ins.2011.09.040 [Full text available in ScienceDirect database.]
The growing demand for higher trustworthiness of software poses an unprecedented challenge to the software industry. Risk management is the important part for high quality software development processes. However, under the constraints of project cost and duration, it is very difficult to establish the budget for risk management. To integrate efficient risk management and pure software process is the goal of this paper. We propose a software process model with risk management and cost control modules to help improve software process risk management. Furthermore, based on this process model, a measurement model that includes process risk and software trustworthiness metrics is presented. Through risk management effectiveness calculation methods and risk transfer assumptions, a software process risk optimization model is proposed. This model can be used to derive an optimized risk management scheme for the process of trustworthy software development, with constraints of process cost and duration. Simulation cases are then analyzed by this model framework. The results show that risk management is critical to enhance trustworthiness but risk management is an effective complement, rather than the most fundamental process, to enhance the trustworthiness of software. Software developers should adopt appropriate and optimal strategies about risk management inputs, especially in lower CMMI level companies.
Kapersky Lab. (2012, March 7). Kaspersky lab experts discover unknown programming language in the Duqu trojan; appeal to programming community for support in analysis. Retrieved from http://goo.gl/rQPUy
The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim’s machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL. After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the “Duqu Framework.”
Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications. [More from Wired and Infosecurity.]
Lewis, J. A. (2012, March 7). Significant cyber events since 2006. Retrieved from http://csis.org/files/publication/120307_Significant_Cyber_Incidents_Since_2006.pdf
This list is a work in progress that we update as new incidents come to light. If you have suggestions for additions, send them to techpolicy@csis.org. Significance is in the eye of the beholder, but we focus on successful attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.
Schmidt, A. (2012). At the boundaries of peer production: The organization of Internet security production in the cases of Estonia 2007 and Conficker. Telecommunications Policy [in press]. doi: 10.1016/j.telpol.2012.02.001 [Full text available in ScienceDirect database.]
With the emergence of Internet based communication and collaboration, new forms of production have surfaced that are based on openness and non-proprietary resources. The paper analyses the role of open source and peer production elements in the response to the attacks on Estonian Internet services in 2007 and the Conficker botnet in 2008/2009. While both cases can not be classified as purely peer-produced security, the two cases of incident response examined here do show some of the characteristics of peer production. By applying certain institutional techniques, the communities balance their need for secrecy with their need to widely share information. The paper concludes with an explanatory model for the observed results. For appropriate policy outcomes, it suggests greater consideration of the role of social production by researchers and designers of the organisation of Internet security.
Wang, S., Hong, L., & Chen, X. (2012). Vulnerability analysis of interdependent infrastructure systems: A methodological framework. Physica A: Statistical Mechanics and its Applications, 391(11), 3323-3335. doi: 10.1016/j.physa.2011.12.043 [Full text available in ScienceDirect database.]
Infrastructure systems such as power and water supplies make up the cornerstone of modern society which is essential for the functioning of a society and its economy. They become more and more interconnected and interdependent with the development of scientific technology and social economy. Risk and vulnerability analysis of interdependent infrastructures for security considerations has become an important subject, and some achievements have been made in this area. Since different infrastructure systems have different structural and functional properties, there is no universal all-encompassing ‘silver bullet solution’ to the problem of analyzing the vulnerability associated with interdependent infrastructure systems. So a framework of analysis is required. This paper takes the power and water systems of a major city in China as an example and develops a framework for the analysis of the vulnerability of interdependent infrastructure systems. Four interface design strategies based on distance, betweenness, degree, and clustering coefficient are constructed. Then two types of vulnerability (long-term vulnerability and focused vulnerability) are illustrated and analyzed. Finally, a method for ranking critical components in interdependent infrastructures is given for protection purposes. It is concluded that the framework proposed here is useful for vulnerability analysis of interdependent systems and it will be helpful for the system owners to make better decisions on infrastructure design and protection.
Zetter, K. (2012, March 6). Hackers vie for more tha $1 million to take down browsers. Wired. Retrieved from http://www.wired.com/threatlevel/2012/03/pwn2own/
As alleged hackers from LulzSec and Anonymous contemplate the possibility of a life behind bars, other hackers are limbering up in Canada this week to vie for more than $1 million in prize money for their hacking prowess. The annual Pwn2Own contest at the CanSecWest security conference is in its sixth year and aims to improve the security of the internet by challenging researchers to find zero-day vulnerabilities and develop exploits to attack them, while disclosing the findings to vendors to allow the companies to patch their products before the vulnerabilities can be exploited in the wild. The contest provides the makers of browser software and other applications with valuable information about security flaws in their products, without having to spend the time and resources to uncover the vulnerabilities themselves.
