Posts Tagged ‘cyber security’

Brother can you spare $100,000,000?

Recent News, Security Tools | Posted by Dave
Apr 07 2009

File this under “It really is less expensive to prevent an attack then to pay for cleaning up an attack”

Pentagon spends $100 million to fix cyber attacks

By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer 12 mins ago

WASHINGTON – The Pentagon spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems, military leaders said Tuesday.

Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, said the military is only beginning to track the costs, which are triggered by constant daily attacks against military networks ranging from the Pentagon to bases around the country.

“The important thing is that we recognize that we are under assault from the least sophisticated — what I would say the bored teenager — all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in-between,” said Chilton, adding that the motivations include everything from vandalism to espionage. “This is indeed our big challenge, as we think about how to defend it.”

According to Army Brig. Gen. John Davis, deputy commander for network operations, the money was spent on manpower, computer technology and contractors hired to clean up after both external probes and internal mistakes. Strategic Command is responsible for protecting and monitoring the military’s information grid, as well as coordinating any offensive cyber warfare on behalf of the U.S.

Officials would not say how much of the $100 million cost was due to outside attacks against the system, versus viruses and other problems triggered accidentally by Defense Department employees. And they declined to reveal any details about suspected cyber attacks against the Pentagon by other countries, such as China.

Speaking to reporters from a cyberspace conference in Omaha, Neb., the military leaders said the U.S. needs to invest more money in the military’s computer capabilities, rather than pouring millions into repairs.

“You can either pay me now or you can pay me later,” said Davis. “It would be nice to spend that money proactively … rather than fixing things after the fact.”

Officials said that while there has been a lot of anecdotal evidence on the spending estimate, they only began tracking it last year and are still not sure they are identifying all the costs related to taking computer networks down after a problem is noticed.

The Pentagon has acknowledged that its vast computer network is scanned or probed by outsiders millions of times each day. Last year a cyber attack forced the Defense Department to take up to 1,500 computers off line. And last fall the Defense Department banned the use of external computer flash drives because of a virus threat officials detected on the Pentagon networks.

The cost updates come as the Obama administration is completing a broad government-wide review of the nation’s cybersecurity.

 

Tags: , , , , ,
No Comments »

The twits tweeting on Twitter..

Best Practices, compliance | Posted by Dave
Apr 03 2009

So I know this post will be a very unpopular among many of my social marketing friends who feel that tweeter is the best thing since sliced bread.  I will admit while I find most technologies coming out today as fairly useful.  I could not find any useful purpose for twitter in my daily life.  Until Today….

Electronic Survellance

When you are trying to pull off an attack, any attack, the first thing you have to do is gain as much intelligence about your target as you can.  When performing a social engineering attack, we have to find as much information about our victim employees as   possible.  If I am going to successfully trick you into clicking an unsolicitated email, I must send you an email that will perk your interest.  Before, this involed scouring websites, forums, and social networking sites.  While these were very useful, it could be static, you were into cars 6 months ago, but now not so much.   The key to a successful social engineering based attack is simple – If you know enough information, the victim will never suspect you are an attacker.

So what is Twitter?  It is a micro blogger that only allows 140 characters at a time.  So people are forced to blog on very small timely subject.  From what they ate for breakfast to about current events, ”Tweets” are frequent and the subjects are far reaching.  This can be likened to a cyber glimpse into someone’s life.  And that is a dream for a malicous attacker.  If I as an attacker am trying to find information about you that I can use,  then twitter becomes a must read for me.  Granted it may seem like what song your listening to doesn’t seem like a security issue.  Remember, a successful social engineering attack conviences you I am someone harmless.  Sending an email from the Hannah Montanna fan club saying to join may not be a draw for alot of people, but if I find that employee who is Tweeting about Hannah Montana then I have found my ticket in.

The key to gathering successful intelligence is to first linking the employee’s business information to a personal identity.  Tweeter can again help.  If I am trying to find information on a  Dr. Jane Doe who is a chemical engineer.  I do a search for a Jane Doe on Twitter and I find a tweeter who is tweeting about working on a chemical molacule chances are I have found a match.  From there I would look at her handle and see if that handle is used anywhere else on the internet.

Tweeter to a Jailbird

Your employees are twittering, do you know what they are saying?  Have they said anything negative about your company?  Have they let out any company/trade secrets? I did a twitter search for Layoffs and check out some of these hits I found. (These are hits from within the last hour) 

“I can’t “publicly” confirm or deny any layoffs. You will see a press release soon on Q1 results with details contained therein. “
My co. offered 65 + 5 yrs. employees or 20 yr. employees a BUYOUT that sucks. Insulting offer. I sense layoffs are coming next.
“Just entered the ranks of the unemployed!!! Layoffs at *****! Couldn’t have come on a brighter, sunshiney-er day!!! “
“They have bhind scenes. So far I’m ok but they can’t cut too much from me. We knew layoffs in works. Fred always said he wouldn’t “
 

Most companies have a procedure in place to determine  what company information is release, when it is release, and who releases it.  I find it highly unlikely that these  tweets were approved by the company’s management as offical statements from the company.  Let’s think about other instances, is your company about ready to release a new offering that is secret right now?  Do you have an expected new offering that has some issue?  Were your financials not quite where they were expected? 

If your company is a publically traded company, Tweets of secret information could be seen as insider information.  At that point you better have a PDA that will survive 5-7 years (with good behavior :) ).

Plugging the holes

Again as with many security fixes it comes down to your end-user employees.  Security Awareness training and proper policies put in place.  Have policies that state what business information that should not be release by unauthorized employees under any form.  Make sure your employees know the risks of tweeting business information and ensure these policies are enforced.

Tags: , , , , , ,
No Comments »

Article exposes flaws in PCI-DSS

compliance, Recent News | Posted by Dave
Apr 02 2009

Payment Card Industry Swallows Its Own Tail

By Anthony M. Freed, Information-Security-Resources.com Financial Editor

PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered it’s death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.

Why the dire prognosis?

Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, and punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there are major problems with security that need to be addressed pronto.

But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers intent on a “big score,” but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve.

The squabbling and finger pointing displayed during the first quarter of 2009 within the industry itself has resulted in nothing less than a public relations nightmare in my opinion, as major card brands, processors, and merchants each seek to deflect responsibility onto the others.

Someone on the sidelines, intently watching the game, would have to wonder what the heck these people are thinking.

First, RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability for the security lapses, offering only the caveat that they are doing the best they can with what they have.

Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant – regardless of their being listed as in good standing with the council at the time of the breach.  From Securosis.com:

Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.

Visa (V) echoed this sentiment in an interview with BankInfoSecurity.com:

“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming – or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”

To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering to effectively shield themselves from culpability while blocking the only alibi the processors have.

“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. “This is PCI enforcement as usual: They’re making the rules up as they go.”

This was apparently seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned by other processors that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.

Then, during Tuesday’s Congressional hearings, representatives of the merchant community, long thought to bear the brunt of security protocol “cram-downs” by the issuing brands, threw their hat into the ring in what now amounts to an industry free-for-all.  From Forbes.com:

Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”

Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.

Is it any wonder that the future of PCI DSS is in question?

And what could possibly be worse than an entire industry at each others throats in the midst of the biggest security problems they have faced to date?

Well, they could make enough of a brouhaha that they attract the attention of lawmakers, as they have succeeded in doing; lawmakers who have regularly demonstrated their intention of late to force industries of all stripes to cede to their “better judgment.”  Also from Forbes.com:

“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”

This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and maybe someone will be looking for a scapegoat.

It’s all uphill now.

During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.

I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus, to that of the image of a snake swallowing its own tail.

I expressed concern by offering my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.

That was one long month ago, and opportunity to avert the creation of a new regulatory body to oversee PCI may have already come and gone, which is most unfortunate for everyone concerned.

PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Tags: , , , ,
No Comments »

Senate Legislation Would Federalize Cybersecurity

compliance, Recent News | Posted by Dave
Apr 01 2009

Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

 

Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity “czar” with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the “third rail of cybersecurity policy.” Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation’s defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

“People say this is a military or intelligence concern, but it’s a lot more than that,” Rockefeller, a former intelligence committee chairman, said in an interview. “It suddenly gets into the realm of traffic lights and rail networks and water and electricity.”

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation’s cyberdefenses. “It’s not a problem that will ever be completely solved,” Rockefeller said. “You have to keep making higher walls.”

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

“The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber,” he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is “not being used to gather private information.”

http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684_pf.html

Tags: , , , ,
No Comments »