Patrick Lin, who is Assistant Professor and Director of Ethics and Emerging Science Group at California Polytechnic State University, penned  a thought provoking piece titled ‘Stand Your Cybergound’ Law: A Novel Proposal for Digital Security in The Atlantic magazine in which he offers up a proposal allowing private industry to conduct cyber retaliation against foreign attackers. He rightly points out that a majority of cyber attacks against the United States or its interests are against private companies. It was reported just this week that the Department of Homeland Security  has sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against multiple companies, which began earlier this year and is still under way. The face that companies are expected to fend for themselves is huge vulnerability in our national cyber defense. The Department of Defense protects military networks. The Department of Homeland Security defends other federal government networks. And everyone else is basically left to stand or fall on its own. It is the case  that there have been increased collaboration  between the public and private sectors in recent years. And the policy makers are looking at additional means for increased information sharing and collaboration. The  proposed Cyber Intelligence Sharing and Protection Act (CISPA) is one such effort. But if private company  is under attack, there is no calvary coming. Couple this with the fact that approximately 85% of the US critical infrastructure is owned and operated by private industry. It would take more that information sharing to adequately implement an effective national cyber defense. Our current cyber defense  is  mostly dependent on private for-profit companies making business decisions about how much to spend on their security overhead. That is certainly a recipe for disaster. It is imperative that government, business and academia join forces and develop better options for addressing this issue.

In the article, Lin writes, “ we may not be ready yet for the government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved [International humanitarian law] issues, including Geneva and Hague Conventions [which] requires that we take care in distinguishing combatants from noncombatants.”

I would first draw a distinction between passive defense ( i.e. blocking attacker access, removing a vulnerability being exploited, etc ) and active defense ( i.e. launching a counter attack to disable the attackers capabilities).

All entities, government and private sector, are engaged in the former. Some more successfully than others. Some with greater effort than others. There are no legal or ethical questions there except a much broader sense . If gas pipelines are considered critical national infrastructure and these pipelines are owned and operated by private companies, should/can the government do more to defend them from attack? More than information sharing and increased collaboration, that is.

As to active defense, I have heard have seen proposals or discussions in security circles of the government launching counter cyber attacks against foreign adversaries on behalf of private companies. Lin’s proposal would create a legal framework that would allow the companies themselves to retaliate. He seems to find inspiration in the much talked about ” stand your ground” laws such as the one in Florida that came to national attention as a it is reportedly invoked in the defense of the fatal shooting an unarmed teenager by an armed neighborhood watch volunteer.

Notwithstanding his references to armed citizens taming the wild, wild west. I find this proposal problematic on three fronts. From the purely cyber security perpective ,from a business perspective, and as a matter of national security policy. I’ll reiterate, in fairness, that Lin is not necessarily endorsing this as a solution, but contributing to a much needed discussion on nation cyber defense policy.

• Security: In most cases, it is difficult to nearly impossible to ascertain the real identity of the attacker. Attackers use other compromised systems (victims) to launch attacks. Lin makes the point that ” There is a reasonable argument in claiming that a botnet is not fully innocent and therefore not immune to harm.Most, if not all, botnets are made possible by negligence in applying security patches to software, installing anti-malware, and using legally purchased and not pirated, vulberable copies of software“. In other words, you allowed your systems to by hacked, so you deserve it if caught in a counter attack. I certainly agree that most reported successful attacks or breaches are a result of some degree of negligence. Most security professionals would agree that no system is immune to attack. We are trained to practice due diligence in making reasonable attempts to identify vulnerabilities and risk. You can never eliminate all risks all the time nor can you afford to mitigate all identified ones.

• Business: Typical business security incidence response practice includes: Detecting the attack, containing the damage, remediating effects of attack and gathering evidence, returning systems to normal and some follow-up. Lin’s proposal would require additional steps to gather sufficient forensic evidence to identify an actual perpetrator. He proposes allowing companies to present this evidence to some governmental body to review and sanction retaliation. Companies will then have to plan and execute the counter attack. Few companies have in-house expertise to do this. Few business managers will be willing to fund such activities. Whats the return? You get hacked from a $500 laptop and you spend $50,000 to do what exactly?

• National Security: We know for a fact some of the attacks on our private owned critical infrastructure have been attributed to foreign government affiliated networks. Would it really be wise to license private companies to attack these networks? I would think not. Most of these folks can’t even patch their servers or encrypt their sensitive data. The last think we need is an international incident started by some system administrator at some SMB. I mean a government allowing private entities to conduct cyber attacks against a foreign nation with a wink and a nod is not exactly a novel concept. Google ‘Russia Georgia Cyberwar”.

I commend Dr. Lin for his contribution to this very important discussion. I don’t necessarily agree with the proposed approach but as a nation, we really need to come to terms with how best to improve our national cyber defense as we are in dire straits.

Most of the commentary written about companies moving to the Cloud  focuses on  the loss of control over company data as a consequence of giving up self-hosted infrastructure. There is usually an implication that this is bad. I believe that is not necessarily a given. How may stories do you read daily about data breaches unrelated to the cloud? It’s almost cliche now.

The critical question that must be asked is “Can cloud provider X protect your company’s  data better than you can?”.

In many cases, the answer is yes. Basically [ in most cases] they do security better than you do. They can afford to hire more security staff  and deploy a more robust security infrastructure. Their business depends on it. In a presentation I gave some time ago on cloud computing located here, I listed the following as additional reasons why:

• Security measures are cheaper when implemented on a large scale
• Better security provides competitive advantage to providers
• Increased standardization and industry collaboration
• Improved forensic capabilities and evidence gathering
• Improved resource scaling

Back of our aforementioned daily horror stories of data breaches. How many of those companies or organizations get closed down or do out of business due to their lax security practices? Not many. For cloud service providers, trust of their customers and potential customers is key to survival. Good security practices are not optional, they are a business imperative.

I’ve witness this first hand working for a financial industry application services provider. Long before “cloud” was a buzz word, there were Application Service Providers (ASPs) that basically performed Software as a Service ( SaaS).  There was a strong culture of security at all levels of the company, from the board on down.

Giving up some control means trusting your provider. This also requires doing your due diligence in selecting the right provier and having a proper service level agreement in place that will allow you access to verify that they are indeed adequately protecting your data.

Across all industries, small businesses are increasingly facing new threats related to cyber security. Whereas some have taken minimum steps to address these threats but most have not. New security threats and incidents are reported every day in news reports and a many remain unreported. This underscores the need for cyber security education of small business owners and managers. These threats have potentially serious consequences and could lead to unrecoverable damage to small businesses.

What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

There has been a lot of chatter in the news lately about the possibility of a “widespread coordinated” cyber attack against our critical infrastructure  and our ability to successfully defend against it.  Most of this infrastructure ( eg. utilities, finance, transportation, etc) is owned by private companies. Those currently responsible to protecting these networks will tell you that we are already under attack.  Is there a cyberwar going on?  Howard Schmidt, the White House’s Cyber Czar says “No”. But let’s not argue semantics. War, skirmish, tomfoolery…call it what you may. Many experts will confess the US is unprepared for a major cyberattack.

What is the government’s role in protecting these private networks? Should it have a role at all? Although some in the private sector are still debating these questions, the government has already moved in action. Last month, the DoD launched its new Cyber Command, headquartered at Ft. Meade, Maryland. Military observers still aren’t quite sure what this supposed to do. The Pentagon’s number two, Deputy Secretary William Lynn, in a gathering of cybersecurity officials and defense contractors,  floated the idea that the “Defense Department might start a protective program for civilian networks”.

According to Lynn, companies may “opt out ” of the program but by doing so would place us all at risk.  Does that mean, by default, all companies are considered in the program?

The congress also is taking action. A draft bill, co-sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), gives the Department of Homeland Security authority to keep “critical infrastructure” up and running during a “cybersecurity emergency”.

It would be interesting to see the bill’s definition of cybersecurity emergency.   All would agree that coordinated defense is essential. The federal government is probably the only entity able to provide that coordination on a national scale.  Coordination is one thing. Control, however, well that’s another animal.

Microsoft Corp. today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers; it was the company’s second such admission in the past two months.

Internet Explorer 6 and its 2006 successor, IE7, contain a vulnerability that can be used by attackers to inject malicious code into a Windows PC. The oldest and newest of Microsoft’s supported browsers, IE 5.01 and IE8, respectively, are not vulnerable to such attacks.

“At this time, we are aware of targeted attacks attempting to use this vulnerability,” Microsoft acknowledged in an advisory posted simultaneously with two security updates that patched eight bugs in Windows and Office. Elsewhere, Microsoft said that the vulnerability had been publicly disclosed.

Source: http://www.computerworld.com/s/article/9168138/Microsoft_warns_of_new_IE_bug_attacks_under_way

Twitter has added a new service that detects malicious URLs in an effort to quell the rise in spam and phishing on the microblogging social network. I previously did a post about the risk posed by url shorteners.

The new security feature ultimately will scan all URLs before they hit the Twitter feed, but initially is only doing so for URLs sent via Twitter direct messages [DMs] and email notifications about DMs. Twitter is using its own URL shortener for these links: “For the most part, you will not notice this feature because it works behind the scenes but you may notice links shortened to twt.tl in Direct Messages and email notifications,” said Del Harvey, Twitter’s director of trust and safety, in a blog post last night.

Twitter’s security feature comes amid new data revealing the level of abuse on the social network: One in eight Twitter accounts last year was malicious, suspicious, or suspended, according to a report issued today by Barracuda Networks. The surge in celebrities joining Twitter in 2009 resulted in a major jump in spam, phishing, and other abuse on the site, according to the report.

Read more: http://www.darkreading.com/securityservices/security/attacks

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is an open source testing tool for web applications, with the facility to record and playback scripts. Developed in Java, C and Javascript, this tool uses simple Javascript to execute events in the browser.

Features:

In-browser controls
Intelligent recorder
Text-based scripts
Ant support for playback of suites of tests
Multi-threaded playback from a command line
HTTP and HTTPS support
AJAX support

Sahi runs as a proxy server which intercepts traffic from the web browser and records the web browsing actions. Sahi can play back those recorded actions by injecting Javascript into the browser so it can access elements in the web page. This makes the tool independent of the website/ web application.

Read more and download it here:

http://www.darknet.org.uk/2010/03/sahi-web-automation-application-security-testing-tool/

Interesting excerpt from article in ITWorldCanada:

“Adi Shamir, a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Cloud AG,” he said.”

So not only do you have to worry about who else is in the cloud with your data and what controls the server provider has in place to secure your data, but whether the government not will have unfettered to all your organizations’ data without your knowledge. They did it with phone records, so…..

As the number of people connecting to the Internet continues to increase at a rapid pace, more and more of us are now creating our own home computer networks.
With these we can enjoy the benefits of having high bandwidth, instant access to the Internet and make this connection available to multiple computers in and around the home.
But for those unfamiliar with computer security, they are completely unaware of the risks they may be exposing their computer to.
Without implementing a proper computer security solution, your computer may become infected with viruses, spyware, and/or adware. These are all forms of malware than can play a part in rendering a computer unusable, destroy valuable information your storing, provide complete control of a computer to another person, allow someone to steal the information on your computer, record your keystrokes and give a 3rd party access to your online bank account, allow someone to use your computer to attack a computer belonging to somebody else, etc.
And if you opted for a wireless network, you could be sharing out your Internet connection to your neighbors or that person who has been sitting outside your house in the car for the last few hours. What is more, you are increasing the risk of exposing your own computer to hackers as a result.
So What Are The Basics of Computer Security?

1. Make sure that the link between you and the Internet is safe.You need to have a hardware firewall installed between you and the Internet. Most recent devices that connect you to the Internet have one built in, but in any case you need to make sure that what you have is a stateful firewall.It should give your computer full access to the Internet, but block all traffic trying to access your network when originated from the Internet side.
2. Secure your Internet router.Change the administrator password and if possible the administrative account name as well. Everyone who has bought that device will know what the default account and password is, so you must change these and make them difficult to guess. This is especially important if you have a wireless network.
3. Install anti-virus software on your computer.Make sure it scans the computer for viruses at least once a week. Keep the software up to date and make sure that the virus definitions are updated every day. Also make sure that this is monitoring the computer all the time to help prevent it being infected in the first place.
4. Install a personal firewall on your computer.Not only should this help limit the damage malware can do to your computer, but it should also reduce the chances of this spreading to other computers. Get in the habit of checking the dialogues that you are prompted with and only allow Internet access to applications that really need it.
5. Install anti-spyware software on your computer.Make sure it fully scans your computer for spyware at least every week. Keep the software up to date and make sure that the definitions are updated every day. Also make sure that this monitors your computer all the time.
6. Keep up to date with the security patches for your Operating System.Microsoft release security updates for Windows every month. However, make sure your computer is configured to automatically check for downloads every day and at a time when your computer is most likely to be turned on.
7. Secure your wireless network.Do not broadcast your SSID (Service Set IDentifier). Although it can be learned by someone who is determined, there is no point making things easy. So make sure this is disabled. Restrict access to your wireless network based on the MAC (Media Access Control) address of your computer. Yes, these can be faked, once known, but why make things simple?Implement WPA (Wi-Fi Protected Access) or WPA2, if you can, to further secure your wireless network. And use a pre-shared key which is not easy to guess.

Conclusion
Although, you can never make a computer 100% secure, the objective is to put as many obstacles in the way and put off the casual hacker. So by following these 7 basic steps you will have a more secure computing environment. And remember, by implementing proper computer security on our own computer, we are making the Internet a safer place to surf for everyone.

Author: David S McKone
Article Source: EzineArticles.com