With attacks on data and IT infrastructure on the rise — along with the costs and potential business impact of attacks — security professionals are starting to express a sense of futility in their work.
This is especially so following the past couple of years, which have included high-profile and successful attacks on companies that would be expected to have the wherewithal to protect their infrastructure, including RSA Security, Google, NASDAQ Directors Desk, Symantec, and many others.
“There’s a sense that no matter what you do, what steps are taken, if someone wants to hack your systems, your data, they can,” says the security analyst at a midwest manufacturer. “It’s becoming insanely frustrating.”
The U.S. — in what some have argued is a move that both shows the importance of the IT infrastructure and the futility of traditional electronic defenses — last year stated that the government would use military force in retaliation against certain cyber attacks.
“Frustration in the industry has certainly been growing, so much that more on the defensive side have been wondering what could be done to more proactively combat attackers,” the analyst says.
Read more…
Even though 2011 was an extremely active year on the information security and privacy fronts – with a blizzard of proposed legislation, near weekly front page data breaches and the continued full leap into the cloud with its securities issues – I predict that 2012 events across the privacy and data security landscape will make 2011 look like a walk in the park. A handful of thoughts on what 2012 may hold:
•The EU’s on deck Data Protection Regulation promises – or threatens depending on your viewpoint – to significantly revamp the EU’s data protection regimes, adding additional potential uncertainty to the EU arena. The leaked DPR indicated a new broad extraterritorial reach, stronger protections for children under 18, embracing privacy by design and the right to be forgotten, a requirement to designate a privacy officer, and increased enforcement powers and penalties. We’ll see what happens when the rubber meets the road.
•Will the final version of the HIPAA breach notification rule make a long-awaited appearance in 2012, along with guidelines per Stage 2 of the electronic record incentive program within the HITECH Act ? The smart money says yes, especially since Congress recently admonished DHS to hurry up already given that the “interim” rule has been around since 2009.
•The FTC plans to issue in early 2012 its finalized Privacy Report, formally titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which I believe will have a significant impact on the 2012 privacy/infosec landscape. The draft version, issued a year ago in December 2010, immediately sparked wide-ranging conversations on Do-Not-Track, Privacy by Design, Fair Information Practice Principles, Geolocation and other privacy-related issues, many of which quickly found their way into 2011’s proposed bills. I expect the finalized report to be heavily influential on 2012’s infosec and privacy debates.
Read more…
The security industry expects the number of cyber-espionage attacks to increase in 2012 and the malware used for this purpose to become increasingly sophisticated.
In the past two years there has been a surge in the number of malware-based attacks that resulted in sensitive data being stolen from government agencies, defense contractors, Fortune 500 companies, human rights organizations and other institutions. (See also “How to Remove Malware From Your Windows PC.”)
“I absolutely expect this trend to continue through 2012 and beyond,” said Rik Ferguson, director of security research and communication at security firm Trend Micro. “Espionage activities have, for hundreds of years, taken advantage of cutting-edge technologies to carry out covert operations; 2011 was not the beginning of Internet-facilitated espionage, nor will it be the end,” he added.
Threats like Stuxnet, which is credited with setting back Iran’s nuclear program by several years, or its successor, Duqu, have shocked the security industry with their level of sophistication. Experts believe that they are only the beginning and that more highly advanced malware will be launched in 2012.
“It is quite possible that we will see another of these threats in the near future,” said Gerry Egan, director of security response at Symantec. Duqu was used to gather design documents from companies that manufacture industrial control systems and could be a precursor to future Stuxnet-like industrial sabotage attacks, Egan explained.
Read more…
Last week we took a look at a few IT predictions for the year ahead, and this week we’re focusing specifically on threat forecasts from security vendors. They all agree that we should expect threats to grow in number, sophistication and damage potential. (Then again, would it make any sense for them to tell us, “Fear not, things are going to be just fine next year”?)
An eruption of mobile malware is widely expected in 2012, as cyber crooks become savvier about hiding malware in social media platforms. Professional criminal groups will find evermore insidious ways to take advantage of human nature online, and companies harboring vast amounts of concentrated data (cloud service providers, social networks, large enterprises) will be irresistible targets. Here is a quick overview of some of the specific predictions:
FortiGuard Labs: The research unit at Fortinet offers up eight network security trends for the year ahead, beginning with the first instances of ransomware on mobile devices. Mobile malware combined with social engineering tactics may prove irresistible to hackers, who can gain root access to infected devices and use it use to hold the devices hostage. (I predict they will publicly release their predictions Dec. 13.)
Also in the mobile threat realm, FortiGuard Labs expects to see worms squirm their way into Android devices via SMS messages or social network posts with malicious links. Meanwhile, Android-based malware will become more complex and diverse, and next year it will witness its introduction to polymorphism, in which the malware mutates automatically, making it harder to detect and eliminate.
Read more…
The United States government is circulating a draft document of seven high-level categories that details descriptions, tasks, skills and job titles of IT security occupations that should help the federal government – and other public and private organization – to architect more effectively their staffs to safeguard data and systems (details of the categories are provided below).
NICE Cybersecurity Workforce Framework, from the National Initiative on Cybersecurity Education, provides detailed descriptions of the cybersecurity roles of and skills for scores of occupations, including some that might not appear to be tied to IT security.
Government agencies have been hampered in setting basic requirements, identifying skills and furnishing training to workers because of a lack of a common language to understand the work and skills required to secure IT. “There has not been a consistent way to define or describe cybersecurity work across the federal workforce,” NICE Leader Ernest McDuffie said in a statement issued with the draft publication. “Other professions have organized their specialties, and now it is time for a common set of definitions for the cybersecurity workforce.”
Occupational classifications for IT security within government would help simplify recruiting – recruiters would know the specific expertise to seek – and facilitate training by defining what skills need to be developed. Today, most cybersecurity professionals are classified as information technology specialists.
Karen Evans, the top IT official in the second Bush administration, said the framework will help individuals as well to “move from place to place and build upon their skills set … due to having a common way to refer to knowledge, skills and abilities.”
Read more…
Data encryption is the cornerstone of Internet security. Every time you log into your email account or sign into an online retailer like Amazon, chances are that your browser is establishing a secure connection to the server using an encryption technology called TLS (Transport Layer Security).
First developed in 1999 as an improvement over SSL (Secure Socket Layer) 3.0 encryption, TLS 1.0 is used as part of HTTPS encryption and is now the Web standard for data encryption. Almost all websites and browsers use TLS to secure information being transferred between you and the site, and now security researchers Thai Duong and Juliano Rizzo claim to have cracked TSL 1.0 encryption using just a traffic sniffer and a simple bit of JavaScript code.
Duong and Rizzo performed a live demonstration of the exploit, codenamed BEAST (Browser Exploit Against SSL/TLS), at the Ekoparty security conference in Buenos Aires during mid-September. While the details of the attack are highly technical, we now know it starts with a snippet of JavaScript code that infects your browser when you follow a suspicious link or visit a malicious website.
When BEAST infects your browser, it monitors the data you exchange with encrypted websites. It inserts blocks of plain-text into the data stream and attempts to decrypt those known blocks of plain-text by making educated guesses about the encryption key.
After enough time passes (roughly five to ten minutes, according to reports that Rizzo sent to The Register), BEAST inevitably guesses correctly and cracks the code on a byte’s worth of encrypted data, then uses that data to reverse-engineer the encryption key and decrypt the confidential data in the session cookie stored on your computer.
Read more…
It’s one thing to write about the dangers of malicious software. It’s quite another to have it take over your computer. That’s what happened to me a few weeks ago. I was at work doing a routine online search when all of a sudden my computer went nuts.
A pop-up appeared in the center of the screen — “Warning: Virus Invasion Detection” — and a siren started wailing. “Personal Shield Pro” started to scan my hard drive. At least that’s what it looked like.
Within seconds, row after row of supposedly malicious software programs started stacking up in the window: viruses, spyware, adware and worms.
ConsumerMan ConsumerMan is on Facebook
Stay up to date with the latest consumer news
..Personal Shield Pro said it found 47 infections. The scan warned that because of the virus activity found, the following bad things were possible: a system crash, permanent data loss, system slowdown and Internet connection loss.
I knew the scan was bogus, that my computer had been infected with fake antivirus software (FakeAV). But I couldn’t close the program. In fact, I couldn’t do anything. This rogue software had hijacked my computer. So, I turned it off and crossed my fingers.
Read more…
Think of it as carjacking for the Digital Age.
The increasingly sophisticated systems running a car may lead to new vulnerabilities, according to a study (PDF) released today from security software provider McAfee in partnership with mobile software provider Wind River and embedded security provider Escrypt. Those systems could allow hackers to take control of the car, track its location, and even access devices that are connected to it, including smartphones and tablets carrying valuable personal data.
The potential threat comes as hackers have increasingly shown a willingness to attack companies, government officials and agencies, and even Hollywood. Hacker groups such as Anonymous have caused headaches as they have stolen and released private information.
Those same threats could arrive in your car soon. Increasingly, the wireless industry is looking to put more connected devices into vehicles, allowing them to monitor the safety system and condition of the engine, as well as deliver games and videos to passengers.
“As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases,” said Stuart McClure, an executive at McAfee. “It’s one thing to have your e-mail or laptop compromised but having your car hacked could translate to dire risks to your personal safety.”
Read more…
Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get US$712.00 in charges reversed after someone broke into her Amazon account and ordered it.
“They even had me pay for one-day shipping,” she said via e-mail Thursday afternoon.
Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their e-mail addresses and passwords to the Internet Thursday. It’s the latest escalation in a messy hacking rampage by the anarchic group that’s caused damage at Sony, the U.S. Public Broadcasting Service and even the U.S. Central Intelligence Agency.
It’s not clear where all of the Lulzsec e-mail addresses and passwords came from. At least 12,000 of them, including Crowell’s, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site’s technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.
The 62,000 e-mail addresses and passwords belong to victims at large companies such as IBM (IBM), as well as in state and federal government. Affected agencies include the U.S. Army, Navy and Air Force, the U.S. Federal Communications Commission, the U.S. National Highway Traffic Safety Administration, the U.S. Department of Veterans Affairs and the U.S. Coast Guard.
Read more…
Adapting security and management for the new generation of mobile devices — everything from the Apple iPhone and iPad to Google Android devices to name a few — is turning out to be a huge corporate challenge.
“We’re struggling to get our arms around it,” says Tim Mathias, senior director of IT security at Thomson Reuters, whose 55,000 employees worldwide provide news, business information and technology related to financial, media and healthcare. He adds: “It’s a struggle with a technology created for individuals that’s ended up being an important tool for the workplace.”
The RIM Blackberry, designed for the corporate world, has traditionally been the smartphone that Thomson Reuters gave its employees. But early last year, many were asking if they could use their other devices, primarily the iPhone and Android devices, for work.
Mathias says management decided to say yes.
“We thought it might improve the ability to recruit talent, or lower costs, or help from a morale perspective,” Mathias says. One of its corporate divisions launched a pilot to connect iPhone, iPads and Androids up to the corporate email server, with the understanding that any employee using their own device for work would handle their own support issues and not go to IT for assistance, though IT staff did set up a knowledge portal to help them along.
Read more…
“If we don’t have human capital in place, the other stuff is not going to work,” says Patrick Gorman, former associate director of the Office of National Inelligence. “It is the most critical piece of cybersecurity.”
Earlier this summer, the Commission on Cybersecurity for the 44th Presidency issued a white paper that estimated the United States needs upward of 30,000 additional highly trained cybersecurity specialists to help secure critical government and private-sector IT systems. Patrick Gorman, the former associate director of the national intelligence, says that figure might be too low.
Various government IT security initiatives such as the Defense Department’s standing up of a cyber command, agencies moving to continuous monitoring of their IT systems and developing and deploying the Einstein intrusion prevention systems can’t be done without sufficient numbers of highly trained personnel.
“The foundation of all of this is human capital,” Gorman says in an interview with GovInfoSecurity.com. “If we don’t have human capital in place, the other stuff is not going to work. We’re not poised right now to create the number of people with the right skills sets we need to really support the needs we’ll have in government and within commercial sector as well. It is the most critical piece of cybersecurity.”
Read more…
Workshop Poll For many organisations, the litmus test for IT security effectiveness is whether or not security breaches are reduced as a result. Security monitoring should help, but modern environments are complex and multi-faceted, and it can be difficult to determine how much is down to the tools, and how much is down to other factors such as policy.
In this quick poll, we want to get to the bottom of the effectiveness question, both in terms of monitoring itself, and whether resulting environments are any more or less secure. It’s mostly tick-and-bash so grab a virtual pen and it should take no more than five minutes of your time, we’ll feed your responses into the mill and have the results back to you in no time!
Read more…
