Tuesday, June 24, 2014

Security skills shortage is real, and it's not going away anytime soon

Companies face a number of short-term challenges, RAND Corp. says

June 20, 2014 04:07 PM ET
Computerworld - There's good news and bad on the cybersecurity skills availability front.
On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.
But for the time being, organizations will find it disturbingly difficult to recruit the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.
Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.
"There's plenty of evidence that there is a shortage" of cybersecurity professionals -- especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."
The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.
Demand for security professionals has skyrocketed since 2007 as a result of increased connectivity, raised awareness, a rise in the number of vulnerabilities and an ongoing increase in hacker activity. The sudden and rapid rise in demand has led to substantial increases in pay for security professionals in recent years, but that has done little to attract new people to the field of cybersecurity, RAND said.
"In the longer term," RAND said, "as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" -- putting downward pressure on salaries.
Some of the increase in demand for people to fill security jobs may run counter to underlying realities. Because of the heightened attention paid to cyberthreats, it's possible that some companies think, perhaps incorrectly, that they're at greater risk than they were a few years ago and assume that the solution is to hire more security specialists.
As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.
Here are four other takeaways from the report.

Government organizations are hurting the most

The increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true when it comes to attracting and retaining top-level security professionals, Libicki said.
Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire people with the skills they need in a supply-constrained labor market. The problem is less acute for lower to midtier IT security pros.
"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the RAND report noted. Though special rates are often available for senior IT specialists, candidates may be discouraged by the public sector's long recruiting process and the delays associated with vetting and security clearance procedures.

Companies can pay all they want and still not find enough people

In the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need people with security skills will be hard pressed to find them.
On a positive note, the higher compensation packages offered to security professionals could begin to attract candidates from other technical areas, such as engineering.

Employers should look at alternate approaches

Companies and government agencies should consider adopting more secure IT architectures and best practices to reduce their dependence on people to keep their systems secure. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even 10% of that amount was invested in making software more secure, there would be less of a need for cybersecurity professionals.
"We have a model that basically says 'I accept the world of software as is, and I am going to patch everything at a systemic level,'" he said. That approach is basically unsustainable over the long term. A company that has 600 security professionals today might require 1,000 in a few years -- and it still wouldn't be secure.

Importing talent may not be a good approach

A great deal of cybersecurity work is already internationalized, so recruiting security professionals from other countries may not solve the manpower problem, RAND said. Moreover, bringing in workers from other countries could depress wages and discourage U.S.-born professionals from pursuing careers in cybersecurity. Further complicating the equation is the fact that foreign-born nationals won't be able to get the security clearances required to work at many government organizations.
covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter @jaivijayan, or subscribe to Jaikumar's RSS feed Vijayan RSS. His email address is jvijayan@computerworld.com.
See more by Jaikumar Vijayan on Computerworld.com.
Read more about IT Careers in Computerworld's IT Careers Topic Center.
10 tips for ethical hacking slider

Ransomware Is Staking Its Claim As One Of The Major Attack Trends

ransomware-virus Recently, InfoSecBuzz posted a blog post dedicated to some of the consequences of social engineering. It’s no secret that social engineers have been using various devious methods to fool people for a long time. In fact, social engineering is advancing with the times and becoming increasingly reliant on the technology that has become an integral part of our lives. Social engineering attacks against mobile devices (i.e smartphones and tablets) are a perfect example of this.
Social engineering can have a vast range of implications on mobile security (Android & iOS) both in enterprise and personal surroundings. In a series of detailed articles, we present examples different methods of mobile social engineering attacks and discuss the various implications they’ve had on targeted organizations.
As a start, let’s take a look at Ransomware – staking its claim as one of the major attack trends. Ransomware is a type of malware that either locks the victim out of their device and/or holds data hostage, until the attacker receives a ransom fee. Several variations of ransomware exist (whether for mobile or PC)- from popups that take over the victim’s screen, to more advanced malware that actually encrypts the victim’s data. Both demand payment from victims in order to release the device.
During the month of May, two major ransomware campaigns began spreading:
Koler – a strain of malware that targets mobile users viewing pornography on their Android devices. It tries to scare its victims into paying the $300 ransom by claiming the victim has viewed “illegal pornography” and posts a threatening message from a fake law enforcement agency (that cleverly changes depending on the victim’s location). Koler SimplLocker – scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files. The victims receives this alarming message in Russian, while their files are being encrypted.SimplLocker
Although both attacks are relatively simple to mitigate and far from the most advanced threat enterprises face – the point is that they work. A significant percentage of mobile user fall for these attacks. Whether it’s ransomware attacks like these, or other types of social engineering like fake apps, malicious ads and rogue wifi hotspots – they will fool your average user.
For an organization, this means that prevention of social engineering is not 100% possible – there’ll always be that one single employee who accidently fell for one of the scams. As a result, organizations are left to mitigate the results of a compromised device on their network. Making sure your enterprise is prepared for social engineering attacks is probably the most important thing.
Our CTO, Ohad Bobrov recently released a series of articles on the different categories of mobile social engineering attacks. The series touches all the major types of attack – explaining how they work, as well as providing relevant examples of each, and most importantly, how to mitigate.
The first post in the series can be found here: Social Engineering – Why mobile users are their own worst enemy
I also recommend reading Ohad’s post on how enterprises can mitigate the effects of a social engineering attack in the final post of the series.
Yonni Shelmerdine, Lacoon
Yonni_LacoonYonni is the lead Mobile Security Trends Analyst at Lacoon. Yonni brings 5 years of experience in Datacom & GSM network security analysis from an elite unit in Israel’s Intelligence Corps. Yonni heads the analysis of mobile attack trends wherehe researches new attack vectors and identifies major mobile malware attack patterns. Juggling university, work and football isn’t easy, but Yonni is a master in multi-tasking.

Hacker Tactic: Holding Data Hostage

Hackers Find New Ways to Breach Computer Security

This story is included with an NYT Opinion subscription.

THE perpetual cat-and-mouse game between computer hackers and their targets is getting nastier. Cybercriminals are getting better at circumventing firewalls and antivirus programs. More of them are resorting to ransomware, which encrypts computer data and holds it hostage until a fee is paid. Some hackers plant virus-loaded ads on legitimate websites, enabling them to remotely wipe a hard drive clean or cause it to overheat. Meanwhile, companies are being routinely targeted by attacks sponsored by the governments of Iran and China. Even small start-ups are suffering from denial-of-service extortion attacks, in which hackers threaten to disable their websites unless money is paid.
Just days after the F.B.I. and international law enforcement agencies teamed up earlier this month to kill one ransomware program, CryptoLocker, which had infected over 300,000 computers, another pernicious program, Cryptowall, popped up and began spreading rapidly.
In response, more companies are resorting to countermeasures like planting false information on their own servers to mislead data thieves, patrolling online forums to watch for stolen information and creating “honey pot” servers that gather information about intruders. Last year, companies also spent roughly $1.3 billion on insurance to help cover expenses associated with data theft.
Some security experts are urging even more aggressive action. “Companies want better results than are being delivered by law enforcement,” said Stewart A. Baker, former assistant secretary for policy at the Department of Homeland Security. He questioned whether the National Security Agency, the F.B.I. or the C.I.A. had enough qualified counterhackers to stake out corporate networks and also whether those businesses would be comfortable giving the government more access to their networks.
Mr. Baker maintains that victims of data theft can reasonably argue that they have a right to follow and retrieve stolen data wherever the thief takes it. And, he added, federal law on the matter is so ambiguous that prosecuting a company for trespassing on the domain of a hacker would be difficult and highly unlikely.
“I do really believe there should be a Second Amendment right in cyber,” added Jeffery L. Stutzman, vice president of Red Sky Alliance, referring to the right to bear arms. His company coordinates intelligence sharing for many of the world’s top corporations. Virtually all of them are weighing how aggressive to be in combating hackers, he said.
In 2011 Michael Hayden, former director of both the C.I.A. and the N.S.A., suggested that the government should consider allowing a “digital Blackwater” with paid mercenaries battling cyberattackers on behalf of corporations. But security experts warn that by taking matters into their own hands companies risk an escalating cycle of retaliation, lawsuits or Internet traffic jams.
What’s more, since cybercriminals typically hijack the systems of unwitting third parties to launch attacks, it is often hard to pinpoint targets for retaliation, said Orin S. Kerr, a professor at the George Washington University Law School. It is “kind of like a blindfolded partygoer trying to hit a piñata with a baseball bat,” he said. “He might hit the piñata but he might hit Aunt Sally, who happens to be standing nearby.”

Companies might also trip up law enforcement efforts or find themselves on the wrong end of a lawsuit if they inadvertently gain access to someone else’s server. And under many foreign laws, self-defense actions by private companies amount to espionage.
The Justice Department takes the stance that a company is most likely breaking the law whenever it gains access to another computer network without permission. At a panel hosted by the American Bar Association, John Lynch, chief of the computer crime and intellectual property section of the Justice Department’s criminal division, said that usually, when his office determines that companies have gone outside their server to investigate a perceived attacker, his first thought is, “Oh wow — now I have two crimes.”
There are, however, other ways to fight hackers that are both legal and effective, said Mr. Stutzman of Red Sky Alliance. His firm, for example, profiles attackers by keeping their pictures, phones numbers and other personal data on file. He is also an advocate of software that tags sensitive documents so that if they are stolen they self-destruct or transmit an alert to the owner.
Most security companies say the main objective should be raising the cost to hackers. CloudFlare, for instance, has developed a service called Maze, which it describes as “a virtual labyrinth of gibberish and gobbledygook” designed to divert intruders to bogus data and away from useful information. Other companies create bottlenecks to route attackers through security checkpoints.
It is fairly common for law firms to have their email read during negotiations for ventures in China, said Dmitri Alperovitch, a founder of CrowdStrike, a company that investigates hackers. So if a company knows its lawyers will be hacked, planting decoys can give them an upper hand, he said.
This month CrowdStrike unmasked a secret cell of cyberthieves linked to the Chinese Army that had stolen millions of dollars’ worth of data from military contractors and research companies, often by hiding its attack software in emailed invitations to golfing events.
Samir Kapuria, vice president of Symantec’s Cyber Security Group, recounted how his company helped a major manufacturer create bogus blueprints of a valuable product with a traceable but harmless flaw and left it hidden in its servers. When the manufacturer later found the planted blueprint for sale on the black market, he said, Symantec was able to help trace the leak to its source, fire the subcontractor and save the manufacturer tens of millions of dollars.
But there can also be unintended consequences when planting false information, said Dave Dittrich, a security engineer at the University of Washington. He offered a theoretical example in which a company intentionally inserts flaws into a faked vehicle design. “If someone plants false information to be stolen and used, and this results in the death of any innocent human beings,” he said, “there could be a good case made that the entity who planted the fake data is acting in a negligent and unjustifiable manner.”
In general, Mr. Kapuria of Symantec prefers a philosophical approach toward thwarting the legions of cybercriminals, describing the fight as “Cyber Sun Tzu — when the enemy is relaxed, make them toil; when full, make them starve; when settled, make them move.”
Ian Urbina is an investigative reporter for The New York Times.

Card fraud impacts 1 in 4 consumers worldwide
Posted on 24 June 2014.
Bookmark and Share
A global fraud study of more than 6,100 consumers across 20 countries revealed that one in four consumers is a victim of card fraud in the last five years. The study, conducted by ACI Worldwide and Aite Group, also highlighted that 23 percent of consumers changed financial institutions due to dissatisfaction after experiencing fraud.


Card fraud is comprised of unauthorized activity on three types of payment cards—debit, credit and prepaid. Cardholders experience fraud at very different rates around the globe, and each type of card has unique fraud challenges. The U.A.E. has the highest rate of fraud overall at 44 percent, followed by China at 42 percent and India and the United States at 41 percent each.
  • 63 percent of global consumers (respondents) who have experienced fraud are more likely to use their cards less
  • 50 percent exhibit at least one risky behavior, which puts them at higher risk of financial fraud
  • 55 percent are “very concerned” about reclaiming financial identity if they fall victim to identity theft
  • More than 1 in 10 have experienced fraud multiple times during the past five years.
“Given this latest data, financial institutions have their work cut out for them, both in terms of educational and preventative measures,” said Shirley Inscoe, senior analyst, Aite Group. “Consumers lack confidence in their bank’s ability to protect them from fraud, so banks must remain vigilant in their fraud migration efforts or face increased customer attrition.”

With 1,367 confirmed data breaches in 2013 alone, the security of the financial services value chain is top-of-mind. As organized fraud rings relentlessly develop new methods of stealing funds and identities, consumers are increasingly losing confidence that there is anything that can be done to reverse this downward spiral.
  • 23 percent changed financial institutions due to dissatisfaction after experiencing fraud
  • Nearly 2 in 10 lack confidence that their financial institution can protect them against fraud
  • 43 percent who received replacement cards as a result of data breach or fraudulent activity use their new card less than they used their original.
“Consumers are increasingly concerned about fraud, and are losing confidence on a variety of levels,” said Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide. “They are unsure that their financial institutions can protect them against fraud; they use replacement cards less often due to a loss of confidence in the card or card issuer, after experiencing fraud; and post-fraud, they often change providers or their cards go to back of wallet. This has immediate and long-term implications on customer loyalty, revenue and fee income.”

Monday, June 23, 2014

Maybe it really does matter who the CISO reports to

The debate over CISO reporting structure reared its head again in the wake of Target's hiring of former GM CISO Brad Maiorino.

Target’s recent appointment of Brad Maiorino was received with great fanfare this past week, an indication that Target was willing to bring in the “big guns” to address security in the wake of last Fall’s massive data breach at the big box retailer. But the disclosure that the position will report to Target’s CIO has rekindled the debate about what the most effective reporting structure should be for the CISO to deliver better overall security.
Featured Resource
Presented by Citrix Systems
Best practices for protecting sensitive business information while making people productive from
Learn More
In last week’s ‘SANS Newsbites’ newsletter, Stephen Northcutt, Shawn Henry and John Pescatore debated the wisdom of this reporting structure with Northcutt and Henry arguing that it diminishes the effectiveness of the CISO. Pescatore, on the other hand, claimed, “there is zero real-world correlation that security goes up - or down (when the CISO reports to the CIO)”. While I agree with John that the relationship between the CISO and his/her boss is critically important to the CISO’s success, I am compelled to point out that there actually is empirical data supporting the argument that having the CISO reporting outside of the CIO’s office does improve the organization’s security when measured against downtime and financial losses.
This finding comes from the 2014 Global State of Information Security Survey, conducted each year, for more than a decade, by PwC, CSO and CIO magazine. I’ve not previously called-out this data because I thought this argument had been put-to-bed…apparently I was wrong. So here it is:
  • with more than 9,000 respondents from around the globe, the survey found that those organizations in which the CISO reported to the CIO experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO
  • and, when the CISO reported to the CIO, financial losses were 46% higher than when the CISO reported to the CEO. In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents
I also examined the findings from the 2013 survey and found the same basic conclusion: reporting to the CEO or the Board of Directors, instead of the CIO, significantly reduces downtime and financial losses resulting from cyber security incidents.
I’ve always believed that not every organization is the same and that no one model will work everywhere. However, there’s a lot to be said for having IT security leadership report to the top of the house, but not to the CIO: the reduction in conflict of interest between the CIO’s objectives and the CISO’s objectives, the ability to escalate issues to the top of the house, as well as, the opportunity it provides for security to influence corporate leadership. It's critical that the CISO and the CIO work together towards the common goal of aligning security with the business objectives and risk appetite of the organization, but it's clearly best done when they are peers with an equal voice in the discussion.
Bob BragdonPublisher
DEALING WITH UNKNOWNS


Article

Why senior leaders are the front line against cyberattacks

All companies are aware of the growing risk of cyberattacks, yet few are taking the steps necessary to protect critical information. The key? Senior managers need to lead.

June 2014 | byTucker Bailey, James Kaplan, and Chris Rezek
Why isn’t more being done to protect critical information assets? Senior executives understand that the global economy is still not sufficiently protected against cyberattacks, despite years of effort and annual spending of tens of billions of dollars. They understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value by as much as $3 trillion by 2020.1 They understand most institutions have technology- and compliance-centric cybersecurity models that don’t scale, limit innovation, and provide insufficient protection. And they understand that institutions need to develop much more insight into the risks they face, implement differential protection for their most important assets, build security into broader IT environments, leverage analytics to assess emerging threats, improve incident response, and enlist frontline users as stewards of important information.

Video

Getting cybersecurity right: An interview with James Kaplan  

Getting cybersecurity right: An interview with James Kaplan

McKinsey’s James Kaplan explains what executives can do to protect their companies against cyberattacks.
The importance of cybersecurity is no secret to anyone who’s opened a newspaper or attended a board meeting. So, senior executives may ask, what’s the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks.

Structural hurdles to addressing cybersecurity

There are a number of factors that make getting the right cybersecurity capabilities in place difficult for large institutions. First, competitive imperatives mean executives must accept a certain level of cyberattack risk. As a chief information-security officer (CISO) at an investment bank said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime-brokerage business would cease to exist.” What this means is that in order to protect themselves without limiting their ability to innovate, companies have to make sophisticated trade-offs between risks and customer expectations.
Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.
Third, cybersecurity risk is difficult to quantify. There’s no single quantitative metric such as value at risk for cybersecurity, making it much harder to communicate the urgency to senior managers and engage them in required decisions. As one chief financial officer told us, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”
Finally, it’s hard to change user behavior. For many institutions, the biggest vulnerability lies not with the company but with its customers. How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure? Breaking through the noise at most institutions to communicate with frontline managers about cybersecurity risks is tough enough, let alone mitigating risks that are ostensibly beyond your control.

Senior managers must lead

Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team.
As part of research we undertook with the World Economic Forum on cybersecurity,2 we had the opportunity to interview executives from more than 200 institutions and perform deep dives on cybersecurity risk-management practices with more than 60 of the world’s 500 largest companies. Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector, and resources provided. Our research also found that senior-management engagement varies dramatically. In some companies, the CISO meets the CEO every few weeks. Yet in others, the CISO has never met the CEO. In fact, the CISO may report to the chief technology officer, who reports to the chief information officer, who then reports to the CFO.
So what does senior management need to do? Among those companies that are making the most progress toward developing cyberresiliency, we identified four actions common among senior managers:
  • Actively engaging in strategic decision making. Just as with other types of enterprise risk, CEOs and the rest of the senior-management team must provide input on the organization’s overall level of risk appetite for loss of intellectual property, disclosure of customer information, and disruption of business operations. Subsequent to that, business-unit heads—and their management teams—must engage with cybersecurity managers to help prioritize information assets and make specific trade-offs between risk reduction and operational impact.
  • Driving consideration of cybersecurity implications across business functions. Senior managers at leading companies ensure business managers incorporate cybersecurity considerations into product, customer, and location decisions, while functional leaders are responsible for addressing cybersecurity considerations in human-resources and procurement decisions. In addition, they make sure that the disclosure of cybersecurity priorities is incorporated into the company’s public-affairs agenda.
  • Pushing changes in user behavior. Given how much sensitive data senior managers interact with, they have the chance to change and model their own behavior for the next level of managers. This can begin with simple steps, such as becoming more judicious about forwarding documents from corporate to personal e-mail accounts. In addition, senior management can and should provide the communications “airtime” and reinforcement required to help frontline employees understand what they need to do to protect critical information assets.
  • Ensuring effective governance and reporting is in place. No matter how thoughtful a set of cybersecurity policies and controls may be, some managers will seek to circumvent them. Senior management obviously needs to make sure that policies and controls make sense from a business standpoint. If they do, senior managers then need to backstop the cybersecurity team to help with enforcement. In addition, senior management should put in place effective, granular reporting on how the company is progressing against specific milestones in its cybersecurity program.
Pervasive digitization, open and interconnected technology environments, and sophisticated attackers make cybersecurity a critical social and business issue. If inadequately addressed, it could materially slow the pace of technology and business innovation in the years to come. That’s why companies must make rapid progress toward cyberresiliency, and only sustained focus and support from top management can overcome myriad structural and organizational hurdles. We know it’s possible—at some companies, this process is already under way. But it must take place on a broader scale if companies are to protect their critical information assets while retaining the ability to innovate and grow.
About the authors
Tucker Bailey is a principal in McKinsey’s Washington, DC, office; James Kaplan is a principal in the New York office; and Chris Rezek is a consultant in the Boston office

InfoSec shake-up in full swing

Big changes are happening. When the dust settles, the information security industry will be a completely different shape. Last week, Brian Dye, VP of Information Security at Symantec, announced that anti-virus software is dead – it only stops 45% of malware. This is not news for most of us in the industry – many say that AV detection rates are closer to 5%.

After the Symantec “bombshell”, the rest of the AV industry spent the past week scurrying around trying to stop a total erosion of confidence in their products. The reaction of Kaspersky was typical of the industry – they said that although signature scanning is now pretty hopeless, AV products comprise several more layers which provide protection. The reality however, is that it does not matter how many layers AV has – it simply does not stop nearly enough malware. Symantec have pulled their fingers out the dyke – pressures to change are fast becoming a flood. AV is based on an outdated premise of attempting to prevent malware infections.
The recent AV debate is indicative of fundamental structural changes which are taking place throughout InfoSec. Any visitor to an InfoSec trade show over the past decade would clearly have seen the dominance of the AV companies. The shake-up happening now is a fundamental paradigm shift.
Elements now coming to the fore in information security include:
1. End device protection must include technology that protects data even when the device is infected with malware. Examples are more proactive anti-key logging and anti-phishing end point solutions.
2. Security derived from data analytics of big data. Our ability to analyse big data to make our systems more secure is evolving fast.
3. Increased use of cloud-based, real-time analysis of electronic transactions. This creates more sophisticated risk-based authentication. More and more security analysis will be performed in the cloud.
4. Realisation that mobile security is totally different to PC security. Threats on mobile stem primarily from the installation of “legitimate” apps approved and downloaded from the official app stores, many with improper permissions. Techniques successful on mobile, such as sandboxing and whitelisting, are being used more in non-mobile environments. Encryption is utilised more and more.
5. Solutions addressing the need for privacy alongside government’s national security needs. This includes inter alia, off-shore cloud hosting and homomorphic encryption.
The move away from the dominating dependence on AV, will drive a flurry of M&A activity over the next year or two. Traditionally, leading InfoSec firms enlarge their technology and drive growth through acquisitions – this will become even more prevalent. A dance of musical chairs is playing out, while leading firms jostle, acquire, and re-align. The moves made now will determine who will dominate a more lucrative information security industry over the next decade.
Clearly companies such as Symantec realise the urgency to morph and have been aggressively buying new technology for a while. Others who cling to outdated technology will wither and die. With such high stakes up for grabs, many organisations, not traditionally in core AV, are also part of the infosec musical chairs, such as FireEye, IBM, Akamai, Cisco, Intel, etc. There will be spectacular returns for the winners of this restructuring – global spending on information security is going to escalate way above current (already high) levels.
Patents and intellectual property in the new security paradigm are incredibly valuable. Security M&A prices are based less on revenues but on the strategic positioning of the technology and IP – and what it can leverage for the acquirer. We look forward to seeing how this shake-up plays out. When the new landscape settles, the cross pollination of different technologies and expertise will produce the next wave of innovative solutions. And some of the new breed will rise – while others, once mighty, will fall.

Post navigation




Symantec Mitigation for Oil Company DOS/DDOS  6/23/2014
Symantec said it has detection measures in place regarding the recent threat and also issued the following recommendations:
· Use a layered approach to securing your environment, including enterprise-wide security monitoring.
· Deploy network intrusion detection/prevention systems to monitor network traffic for malicious activity.
· Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
· Ensure all web servers are patched, configured to minimise the impact of DoS/DDoS attacks, and hardened against external threats.
· Utilise web application firewalls as a front-line defense against attacks.
· Ensure your IT and IT security staff are prepared and know what they need to do in the event of attack.
· Discuss DoS/DDoS mitigation strategies with your upstream provider and ensure they are aware of this threat.
· Ensure relevant third party vendors are also aware and accessible.
· Utilise DDoS protection services.
· For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.
· Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
· To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
· Do not follow links or open email attachments provided by unknown or untrusted sources.
· Ensure staff is educated on social engineering and phishing techniques
After several years of planning, the Pentagon’s Cyber Command is finally beginning to conduct operations such as tracking adversaries overseas to detect attacks against critical computer networks in the United States, according to a senior defense official.
The Pentagon’s “national mission” cyber teams over the past year have begun monitoring servers used by “high value” adversaries, said the official, alluding to countries such as Iran and China.
When authorized, the national mission teams — the most prominent element of the military’s growing Cyber Command — can block or counter a foreign cyber attack, the official, who was not authorized to speak on the record, said in a recent interview.
But the teams’ focus is “strategic defense of the nation,” not offense, the official said. The command is slightly less than one-third of the way toward its full capacity, with almost 2,000 personnel in place out of a goal of 6,000 by the end of 2016.
Sequestration slowed the effort, but “solid progress” is being made, the official said. The command is led by Adm. Michael S. Rogers, who took up the job in April when he became director of the National Security Agency. It was launched in 2009 under then-NSA Director Keith Alexander.
All told, there will be 13 national mission teams out of a total of 133 teams. Twenty-seven combat mission teams will assist combatant commands around the world. They might, for instance, disrupt an enemy’s computerized air defense systems before an airstrike.
There will be 68 cyber protection teams to help with defense of the department networks, the official said. The remaining 25 teams will provide support to the national and combat mission teams.
The national mission teams will not operate on private sector networks or inside the United States. “The national mission teams are not designed to sit on Wall Street and protect Wall Street’s networks or the power grid’s networks,” he said. “They want to catch an incoming round before it [hits].”
Part of their job is to do reconnaissance work on foreign networks to watch traffic in servers used by adversaries that the military has gained lawful access to, he said.
“We need to be inside the bad guy’s head and network,” he said. “That’s the mission of the national mission teams: to be inside the bad guy’s head and his network.”
Getting inside the bad guy’s network means monitoring the “hop points” or servers commandeered around the world by adversaries to route and disguise their computer traffic, not necessarily hacking into their command and control computers, he said. “Whatever these bad guys are using in order to do their work, that’s what we’re interested in.”
The teams can do that reconnaissance work under a variety of authorities, including intelligence and military, he said. If asked, they could also help the FBI in a criminal investigation, he said.
The national teams will deploy only when there is a strategic attack, or one, he said, that “is going to cause, death, public health and safety issues on a serious magnitude…[something] with significant implications to our national security or to our national economic security.”
Part of the decision-making process is a consideration of the consequences of any action, to include diplomatic blowback and counterstrikes, he said. “We don’t want to make the situation worse by the use of military cyber capabilities,” he said.


 Up
Center for Policy on Emerging Technologies (C-PET)
Top of Form
  •  
Internet of Things
August 3, 2013 Posted in   Internet of Things – Smart Systems and Dumb Policy could be a Dangerous Combination in a Dynamic Global Arena
Steve Bell, President, KeySo Global LLC
 Introduction
As a result of a recent C-PET Internet of Things (IoT) round table teleconference and the recent 3rd Annual Internet of Things Europe 2011 conference in Brussels it was thought appropriate to share the following paper. This report is a summary extract of the key points discussed at a C-PET IoT conference held in December 2009. It is based on a comprehensive report developed by KeySo Global (available on request) of the meeting that examined these points in light of a number of trends and developments of the IoT during 2010.  In order to keep this document fresh and relevant, the opportunity was taken to carry out a hindsight/foresight review of the material and to test the temperature of the conclusions in the light of IoT developments in Europe, and the progress being made.

Hindsight & Foresight
Two years ago, the consensus appeared to be that the EU had first mover advantage on IoT but now it appears that China is clearly in the forefront of the countries developing the Internet of Things. Some of the issues that this observation surfaces are the cultural and philosophical differences between and amongst the eastern and western societies and governments.
The goal for IoT & Internet in the EU by 2020 is “smart, sustainable, inclusive” with values like privacy built in from the start on the assumption that it will fail otherwise. Peter Hustinx, European Data Protection Supervisor makes the point that “fundamental to the successful deployment is trust”. Privacy of data and trust of the consumer will be critical components to success of the Internet of Things. While the rhetoric on “right to silence” may be “hyperbole” it starts the global conversation on privacy by design.
Does an equivalent statement exist for the US and should it? Does Washington even understand the profound implications that the IoT will have on the U.S and global economy? These were some of the areas touched upon in the recent roundtable where Michael Nelson identified 3 Tech Cultures: W. Coast, Prototype Principle; E. Coast, Profit Principle; Europe, Precautionary Principle. As Dan Caprio & Mike concluded, the issue is not which is the right principle but how to embrace all 3 in a horizontal approach across the EU and the US, and at the same time recognize that China and Asia are moving at a rapid pace of development as well. There are a lot of moving parts and players involved in assessing multiple international policy issues but it is essential to start addressing them.
The paradox is about protecting a fragile and evolving Internet and those who want control over this and the emerging IoT technology. Today’s Internet policy framework is “elegant in its restraint” and has enabled extraordinary innovation, according to the OECD, but they see trends that threaten to balkanize the Internet, creating mini national Internets that will destroy economic and social potential.
M2M communications only become the true IoT when interfaces & data open up & everything talks globally. The sensors are the means not the end; they are ambient and do not need “modal” interfaces that require human attention. The Internet of Things is really about data management and the privacy implications that arise from this built environment. The IoT will indirectly enable the observation and understanding of human behavior in buildings and places. Where this information can be mashed together to create swarm behavior analysis, it raises the interesting issue of who owns the data and knowledge.
Open data will drive the Internet of Things. As Meglena Kuneva, European Consumer Commissioner, said in March 2009 “personal data is the new oil of the Internet & the new currency of the digital world.” It seems reasonable to anticipate that this complex global environment will spawn many different privacy solutions rather than a single “privacy by design” solution and that the focus should be on the transparency of the systems that hold the data, not necessarily on the transparency of the data itself.
This is why, instead of the Internet of Things, it should potentially be renamed the “Cloud of Everything”. This would be comprised of billions of people controlling the use of open data generated by billions of devices for millions of apps & services, which in turn utilize the data made available by the Cloud for the purposes of sharing and analysis.
The “Cloud of Everything” is the classic double power conundrum; it is the biggest opportunity and the biggest challenge to everything that individual societies and cultures hold absolute.

Impact of the Internet of Things
In December 2009 the Center for Policy on Emerging Technologies (C-PET), a non partisan think tank for the 21st century, held a roundtable discussion in Washington DC hosted at the offices of McKenna Long & Aldridge. The small but broad cross section of participants and experts brought a wealth of knowledge and perspectives. They facilitated a better understanding of the potential, the impact and the implications of the Internet of Things (IoT), both in the U.S.A and globally. One general conclusion arising from the C-PET panel was that competing visions exist for the IoT and that the general public does not yet have a clear and compelling sense of what it is or of the benefits that it could potentially provide. The C-PET panel recommended definition was much simpler and attempted to address the need for a clear, compelling, benefit-driven definition that could be understood by consumers. The C-PET panel’s vision emphasizes “connecting the things that matter to make life better”.
The Internet of Things (IoT) is the ultimate paradox; by definition its lineage is clear (Moore’s Law, Internet, cellular, RFID and the web) but the implications of what it yields or unleashes are truly unknown at this time.
Elements grounded in science are predictable but as you move up the software and services stack, second and third order derivatives are more difficult to predict, and their implications on society even less so.
A recent article in the Economist magazine on the Internet of Things highlights four main areas of concern for society
Privacy: an increasing number of sensors will mean that offline data can be mixed with online data, creating enhanced digital footprints
Control: the risk of abuse by a malevolent government using Orwellian ways to keep people under control
Security: the fear that smart systems might be vulnerable to malfunctioning or attacks by hackers – the Stuxnet scenario
Elitism: the concern that those with access to smart systems could be vastly better informed than those without, which could lead to control by a few
One challenge identified by the C-PET panel was how to unlock the latent value of the Internet of Things in order to unleash human creativity; specifically to ensure that it truly remains an Internet of Things and that, through policy, its potential is not limited to an “internet of fewer things”.

Enabling the Internet of Things
During the C-PET session consideration was given to what was needed to enable the Internet of Things to flourish.
The following enabling elements were explored and discussed during the meeting:
  • IT and broadband networks for backhaul, coupled with robust layers of wireless data networks, are essential for the provision of ubiquitous access anywhere, any time
  • These networks need to be scalable globally and have the ability for communicating with billions of billions of addresses (IPV6 adoption) and a domain name standard that allows devices to be traced
  • Spectrum management needs to address the future requirements of networks of smart systems, with billions of devices continuously refreshing their status and needing control guidance
  • The networks need to be robust, resilient, flexible and probably redundant if they are to interface, link and service utility and health systems. Denial of service and threat of cyber attack cannot be acceptable on critical infrastructure
  • Architectural and policy recognition that, unlike the Internet, the IoT is not a singular or totally open system but is in fact comprised of overlapping networks of open, closed and partially open systems. Standards and interfaces will be needed to ensure companies can protect proprietary supply chain information, but on the other hand have the ability to track and recall goods (food & drugs) across multiple systems when necessary
  • With the ability to gather data 24/7 from potentially billions and billions of devices, there is a need for heuristic software capability and deterministic rules
  • New data storage concepts need to be considered: despite the continually lowering cost of this, there is a distinct possibility of running out of storage
  • New capabilities in smart pattern recognition will be required to handle current and historic data, and to then determine how best to use this data effectively
  • Business processes need to adapt, and companies need to be able to see the economic benefit of investing in IoT. The lesson from RFID is that, even if the cost of sensors and chips continues to fall to extremely low levels, the issue becomes the total cost of the system as a whole
  • Equally, if the overall proposition is not attractive, easy to use and can be seamlessly adopted into consumers’ lives, they too will reject it
  • Provision needs to be made for security, privacy policy and mechanisms that address a new set of paradigms; where access, storage, usage and ownership of data related to someone or something are not necessarily under the control of an individual or corporate entity, and where national boundaries have little meaning
  • Consideration for regulation of smart grids where there is more than one owner, the owner is outside the national border or the grid is part of an international network
  • Global collaboration between governments and industry on consumer security and privacy service level agreements, and opt in rules regarding silent chips and surveillance
  • Policing and enforcement to address the federated crime syndicates that are already emerging and that recognize no borders, generating a shadow economy that is already more than a trillion dollars
  • The consideration of industry partnerships and stimulus funding to accelerate development of technical, economic and social capabilities; to ensure that IoT based structural change positions the U.S. to take a leadership role in what could be the next industrial revolution

Concluding comment

During this last 12 months C-PET has consistently raised the concern that Washington has not cultivated an innovation mindset. In this environment where will the cradle of innovation be for the IoT in the U.S. and how will it be encouraged? In fact, with the increasing emphasis on short term results, can it really be nurtured in the U.S. and can these enabling elements be addressed?