Patrick Lin, who is Assistant Professor and Director of Ethics and Emerging Science Group at California Polytechnic State University, penned  a thought provoking piece titled ‘Stand Your Cybergound’ Law: A Novel Proposal for Digital Security in The Atlantic magazine in which he offers up a proposal allowing private industry to conduct cyber retaliation against foreign attackers. He rightly points out that a majority of cyber attacks against the United States or its interests are against private companies. It was reported just this week that the Department of Homeland Security  has sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against multiple companies, which began earlier this year and is still under way. The face that companies are expected to fend for themselves is huge vulnerability in our national cyber defense. The Department of Defense protects military networks. The Department of Homeland Security defends other federal government networks. And everyone else is basically left to stand or fall on its own. It is the case  that there have been increased collaboration  between the public and private sectors in recent years. And the policy makers are looking at additional means for increased information sharing and collaboration. The  proposed Cyber Intelligence Sharing and Protection Act (CISPA) is one such effort. But if private company  is under attack, there is no calvary coming. Couple this with the fact that approximately 85% of the US critical infrastructure is owned and operated by private industry. It would take more that information sharing to adequately implement an effective national cyber defense. Our current cyber defense  is  mostly dependent on private for-profit companies making business decisions about how much to spend on their security overhead. That is certainly a recipe for disaster. It is imperative that government, business and academia join forces and develop better options for addressing this issue.

In the article, Lin writes, “ we may not be ready yet for the government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved [International humanitarian law] issues, including Geneva and Hague Conventions [which] requires that we take care in distinguishing combatants from noncombatants.”

I would first draw a distinction between passive defense ( i.e. blocking attacker access, removing a vulnerability being exploited, etc ) and active defense ( i.e. launching a counter attack to disable the attackers capabilities).

All entities, government and private sector, are engaged in the former. Some more successfully than others. Some with greater effort than others. There are no legal or ethical questions there except a much broader sense . If gas pipelines are considered critical national infrastructure and these pipelines are owned and operated by private companies, should/can the government do more to defend them from attack? More than information sharing and increased collaboration, that is.

As to active defense, I have heard have seen proposals or discussions in security circles of the government launching counter cyber attacks against foreign adversaries on behalf of private companies. Lin’s proposal would create a legal framework that would allow the companies themselves to retaliate. He seems to find inspiration in the much talked about ” stand your ground” laws such as the one in Florida that came to national attention as a it is reportedly invoked in the defense of the fatal shooting an unarmed teenager by an armed neighborhood watch volunteer.

Notwithstanding his references to armed citizens taming the wild, wild west. I find this proposal problematic on three fronts. From the purely cyber security perpective ,from a business perspective, and as a matter of national security policy. I’ll reiterate, in fairness, that Lin is not necessarily endorsing this as a solution, but contributing to a much needed discussion on nation cyber defense policy.

• Security: In most cases, it is difficult to nearly impossible to ascertain the real identity of the attacker. Attackers use other compromised systems (victims) to launch attacks. Lin makes the point that ” There is a reasonable argument in claiming that a botnet is not fully innocent and therefore not immune to harm.Most, if not all, botnets are made possible by negligence in applying security patches to software, installing anti-malware, and using legally purchased and not pirated, vulberable copies of software“. In other words, you allowed your systems to by hacked, so you deserve it if caught in a counter attack. I certainly agree that most reported successful attacks or breaches are a result of some degree of negligence. Most security professionals would agree that no system is immune to attack. We are trained to practice due diligence in making reasonable attempts to identify vulnerabilities and risk. You can never eliminate all risks all the time nor can you afford to mitigate all identified ones.

• Business: Typical business security incidence response practice includes: Detecting the attack, containing the damage, remediating effects of attack and gathering evidence, returning systems to normal and some follow-up. Lin’s proposal would require additional steps to gather sufficient forensic evidence to identify an actual perpetrator. He proposes allowing companies to present this evidence to some governmental body to review and sanction retaliation. Companies will then have to plan and execute the counter attack. Few companies have in-house expertise to do this. Few business managers will be willing to fund such activities. Whats the return? You get hacked from a $500 laptop and you spend $50,000 to do what exactly?

• National Security: We know for a fact some of the attacks on our private owned critical infrastructure have been attributed to foreign government affiliated networks. Would it really be wise to license private companies to attack these networks? I would think not. Most of these folks can’t even patch their servers or encrypt their sensitive data. The last think we need is an international incident started by some system administrator at some SMB. I mean a government allowing private entities to conduct cyber attacks against a foreign nation with a wink and a nod is not exactly a novel concept. Google ‘Russia Georgia Cyberwar”.

I commend Dr. Lin for his contribution to this very important discussion. I don’t necessarily agree with the proposed approach but as a nation, we really need to come to terms with how best to improve our national cyber defense as we are in dire straits.

Most of the commentary written about companies moving to the Cloud  focuses on  the loss of control over company data as a consequence of giving up self-hosted infrastructure. There is usually an implication that this is bad. I believe that is not necessarily a given. How may stories do you read daily about data breaches unrelated to the cloud? It’s almost cliche now.

The critical question that must be asked is “Can cloud provider X protect your company’s  data better than you can?”.

In many cases, the answer is yes. Basically [ in most cases] they do security better than you do. They can afford to hire more security staff  and deploy a more robust security infrastructure. Their business depends on it. In a presentation I gave some time ago on cloud computing located here, I listed the following as additional reasons why:

• Security measures are cheaper when implemented on a large scale
• Better security provides competitive advantage to providers
• Increased standardization and industry collaboration
• Improved forensic capabilities and evidence gathering
• Improved resource scaling

Back of our aforementioned daily horror stories of data breaches. How many of those companies or organizations get closed down or do out of business due to their lax security practices? Not many. For cloud service providers, trust of their customers and potential customers is key to survival. Good security practices are not optional, they are a business imperative.

I’ve witness this first hand working for a financial industry application services provider. Long before “cloud” was a buzz word, there were Application Service Providers (ASPs) that basically performed Software as a Service ( SaaS).  There was a strong culture of security at all levels of the company, from the board on down.

Giving up some control means trusting your provider. This also requires doing your due diligence in selecting the right provier and having a proper service level agreement in place that will allow you access to verify that they are indeed adequately protecting your data.

On Saturday, April 28, the FCC released the full un-redacted report on Google’s Street View project. The report is only 25 pages long and can be found at the bottom of this post.  I find the following tidbits particularly interesting:

“ …Engineer Doe developed Wi-Fi data collection software code that, in addition to collecting Wi-Fi network data for Google’s location-based services, would collect payload  that Engineer Doe thought might be useful for other Google services. …Google made clear for the first time that Engineer Doe’s software was written specifically to capture payload data. “

Despite all of Google previous assertions to the contraire, this quoted section indicates that Google engineer[s] intended for payload data to be captured and stored. Google insists that this was done without the knowledge or approval of project leader and was not a necessary requirement. This would certainly indicate a failure on the part of project management as this drastically changes the scope of the project with far reaching implications. Even if this were indeed the case of a single engineer going rouge, it makes one wonder even more about the internal culture of the company with respect to consumer privacy. Keep in mind that Wi-Fi traffic only travels between individual computers and an access point. Both end points, in this case, reside on private property. Why would anyone believe it acceptable to capture and store this data with affected individuals knowledge and/or consent?

” ..Google employees stated that any full-time software engineer working on the Street View project was permitted not only to access and review the code, but also to modify it without prior approval from the project managers if the engineer believed he or she could improve it. In addition to Engineer Doe, at least one other engineer wrote or modified an aspect of the Wi-Fi data collection code. “ 

If this is indeed the case, it might explain the feature creep. Were these modifications or “improvements” not documented as part of project documentation? It certainly should have been. Project managers can’t pass the buck on this.

“ A manager of the Street View project estimated that five engineers took turns [ deploying and testing] the Wi-Fi data collection code into Street View cars. Despite their hands-on work…these engineers claim they did not realize Google was collecting payload data” 

Google engineers tasked with reviewing the code and deploying it to street cars claim they did not realize it captured payloads. Really? This must be the equivalent to the infamous ” I don’t recall” defense.  Or sheer ineptitude maybe?

Lastly, the FCC fined Google $25,000 for “impeding the investigation”. Google agreed to pay the fine though the company blames the delays in internal FCC processes. This has been the only penalty on Google to date in the US.

Read Full Report below:(Click on Full Screen at bottom right)

Across all industries, small businesses are increasingly facing new threats related to cyber security. Whereas some have taken minimum steps to address these threats but most have not. New security threats and incidents are reported every day in news reports and a many remain unreported. This underscores the need for cyber security education of small business owners and managers. These threats have potentially serious consequences and could lead to unrecoverable damage to small businesses.

What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

Symantec recommends the following:

• Develop and enforce IT policies and automate compliance processes. By prioritizing risks and defining policies that span across all locations, organizations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

• Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organization. Utilize encryption to secure sensitive information and prohibit access by unauthorized individuals.

• Authenticate identities by leveraging solutions that allow businesses to ensure only authorized personnel have access to systems. Authentication also enables organizations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorized devices to the infrastructure.

• Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

• Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.

• Ensure 24×7 availability. Organizations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organizations to adopt more cross-platform and cross-environment tools, or standardize on fewer platforms.

• Develop an information management strategy that includes an information retention plan and policies. Organizations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.

Source: http://www.symantec.com/content/en/us/about/presskits/Symantec_2010_CIP_Study_Global_Data.pdf

I just read that my hosting company, GoDaddy, is on the auction block to be sold to the highest bidder. Naturally, I’m thinking of how this change of ownership could adversely affect the service of my web sites, blogs, and virtual servers.  One never really knows until the new owners take over. Maybe they clean house and things change for the better. Or they may look to cut costs and things could take a downward turn. Migrating to a another service would a pain but I could do it if needed.

This brings to mind the current state of the cloud computing market. The mad gold rush of cloud services providers continues. Everyone wants a piece of the action.  These companies offer a variety of hosting services for IT infrastructure, platforms and applications.  The lure of moving to the cloud is obvious. Let someone else do it better, cheaper, more reliably and worry about the  details. More organizations are taking advantage. Companies, large and small, are moving their data, applications, and systems to one or more of the legion of providers out there.  This means more dependence on these providers for accessing business critical resources.  Although there are some obvious leaders in the cloud market today ( Google, Amazon, Salesforce), there are also a many smaller boutique providers that compete mostly on price.

In coming years, I expect the market to settle. Some providers will flourish, others will go down in flames or be acquired by one of the larger shops. These changes could have real consequences to customers. What happens if your provider is using proprietary technology and goes out of business?  Migrating to a new provider might be difficult. Doing your due diligence before selecting a provider is very important. Verifying the financial stability of the company and developing a strong service level agreement are key requirements.  Your SLA must address uptime, performance and security. The ability to audit your provider is also very important.

Many small businesses would not exist without the cloud. Building, hosting, and managing an IT infrastructure can be cost prohibitive. Choosing the right provider, however, may be the difference between success and failure.

Looking ahead, the X-Force Research and Development team has identified some key trends to watch for in the future, including:

Cloud Computing — As an emerging technology, security concerns remain a hurdle for organizations looking to adopt cloud computing. As organizations transition to the cloud, IBM recommends that they start by examining the security requirements of the workloads they intend to host in the cloud, rather than starting with an examination of different potential service providers. Gaining a good understanding of the needs and requirements first will help organizations take a more strategic approach to adopting cloud services.

Virtualization – As organizations push workloads into virtual server infrastructures to take advantage of ever increasing CPU performance, questions have been raised about the wisdom of sharing workloads with different security requirements on the same physical hardware. X-Force’s vulnerability data shows that 35 percent of vulnerabilities impacting server class virtualization systems affect the hypervisor, which means that an attacker with control of one virtual system may be able to manipulate other systems on the same machine. This is a significant data point when architecting virtualization projects.

Read more: http://www.prnewswire.com/news-releases/ibm-x-force-report-reveals-global-security-threats-have-reached-record-levels-101460029.html

Gee Thanks! I’ve been working out! …..oh wait a minute! What video??? CLICK!!!!

That was probably the script the culprit had in mind …and who knows how many times it played out.

I received the following message in my email inbox earlier from a cousin on Facebook.

It was so obviously malicious. Never mind the spelling issues. That is a trick typically used to get by email filters. My first reaction was to log in to Facebook and verify that it was indeed the source. I was reminded of an article I read about a similar fake LinkedIN email attack. In this case, the message was right there with a slight difference. The link now was more obvious.

One of those shortened bit.ly links that could lead you anyway. Without clicking the link, I clicked “reply” asking ” Did you send this?” . I already knew the answer but hey!  I immediately got the following response from one of the sender’s friends.

The plot thickens…

I sent the cousin a message advising a change of Facebook credentials. The message was apparently sent to many other users.  I’ve read and blogged about compromised Facebook account being used to spread malware and/or lure users to malicious sites but this is my first such experience. I’m not the average Facebook user though, since I only use it to cross-post blog updates.  I didn’t have to time to investigate what’s on the other side of that bit.ly link but just thought I’d share the experience.

Beware fellow Facebook users!