LATEST FBI CERT VULNERABILITIES
NATIONAL CYBER ALERT SYSTEM BULLETINS
CYBER SECURITY ALERTS
NEW THREATS
US-CERT Recently Published Vulnerability Notes:
VU#940193: Microsoft Windows automatically executes code specified in shortcut files
VU#541921: ISC DHCP server fails to handle zero-length client identifier
VU#732671: Cisco Industrial Ethernet 3000 Series switches have hardcoded SNMP community strings
BLOG
Big Changes Afoot at the Institute - 5/13/2010
Debunking the Growing Use of Misleading Claims and False Truisms in Cybersecurity: Wind River and Google Android Examples (Release)
Cyber Secure Institute Calls Wired Magazine’s “2009 Smart List” Idea “Forget Medical Privacy” Profoundly Stupid (Release)
CSI WHITEPAPERS
2/17/10
Cybersecurity: The Challenge of Political and Corporate Will
by Hon. C. Thomas McMillen
2nd in the series, Provoking Cybersecurity Change.
2/1/10
Cyberwar and Cyberterrorism
by Gen. Eugene Habiger
Today, the Cyber Secure Institute published a whitepaper, entitled “Cyberwar and Cyberterrorism: The Need for a New U.S. Strategic Approach,” written by Gen. Eugene Habiger USAF (ret.), who formerly served as Commander in Chief of United States Strategic Command. He also served as the Department of Energy's “Security Czar.”
General Habiger’s whitepaper draws a number of important conclusions, including these five points:
1. America is routinely the victim of nation-state driven cyber intrusions that can be seen as low-grade cyber-border conflicts.
2. Some of these attacks have crossed a critical line: they have compromised critical systems supporting our troops engaged in combat.
3. Our failure to proactively address these threats risks a digital Pearl Harbor or 9-11.
4. Deterrence by retribution and preemption, our nation’s core national security strategies, are of limited value against cyberwar and cyberterror threats—“these rotary-phone-era strategies are not well suited for today’s digital world.”
5. A new approach based upon deterrence by denial is needed, which will require nothing short of a total paradigm shift from both government and the private sector.
INSIGHTS & RESOURCES
The Cyber Secure Institute has a robust research agenda focused on:
- Cyber threats our nation faces.
- Legal and regulatory requirements on government and companies to adopt Cyber SecureTM technologies.
- Certification regimes for IT technologies.
RESOURCES
- U.S. Government
- GAO Reports
- Other Governments/ Foreign and International Organizations
- Think Tanks/ NGOs / Academia
- Industry Groups
- Companies
United States Government
U.S. Government - Executive:
White House: The Agenda: Technology
President Obama and his administration have outlined their plans for technology and cyber-security. The main points of the agenda include ways to secure these important technologies while still leaving them open to sharing information and fostering a competitive market. The Obama administration intends to hold those people accountable who are guilty of violating personal privacy. In addition, there are plans to increase research not only in the government but also in universities and other institutions around the country.
http://www.whitehouse.gov/agenda/technology
White House: The Agenda: Homeland Security
One of the major components of President Obama’s homeland security agenda is to “Protect Our Information Networks.” This plan describes what the administration intends to do to improve and uphold cyber-security. The agenda particularly will include new higher standards of information and IT protection. To create the most secure networks possible, the government will have to rework the nation’s cyber infrastructure and use necessary resources to fight various forms of cyber crime and cyber espionage. In the 21st century, to secure our internet and networks is a vital component of homeland security.
http://www.whitehouse.gov/agenda/homeland_security
U.S. Government - Congressional:
CRS: Information Operations, Electronic Warfare, and Cyberwar:
Capabilities and Related Policy Issues
This CRS report addresses U.S. national security issues relating specifically to cyber-war, and they explain the major differences between types of information and how these can be exploited. They define some of the emerging threats and issues relating to cyber-security, and provide a context of threats already faced. Additionally the report provides some major areas for the U.S. government to focus their attention, in the context of these issues.
Their primary areas of focus include:
- Psychological Operations (PSYOP)
- Military Deception (MILDEC)
- Operational Security (OPSEC)
- Computer Network Operations (CNO)
- Electronic Warfare (EW)
CRS: Creating a National Framework for Cybersecurity: An Analysis of Issues and Options
This report takes a look at the major emerging problems with cyber-security. Through identifying critical deficiencies, the report is able to more effectively address the question of “how do we fix our security issues?” Not only are problems identified, but also a number of potential “best practices” and legislation ideas are provided to repair these breaches. In addition, research is presented to explain whether the government or the private sector should address the specific issues.
CRS: Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
Clay Wilson, a Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division prepares this report which focuses on emerging threats in the realm of IT security, with a special emphasis on cyberterrorism as a business which can have extreme effects on critical infrastructure. Wilson identifies the major categories of threats facing the nation, and he offers some important issues on which congress should focus, including:
- Growth in technical capabilities of terrorists
- Incentives for the National Strategy to Secure Cyberspace
- Improving Security of Commercial Software
- Coordination Between Private Sector and Government
CRS: Terrorist Capabilities for Cyber Attack: Overview and Policy Issues
Providing information about why terrorists may be moving in a more cyber-based direction, this report details how these threats can be addressed and identified. Although the international community has worked towards standardizing some international cyber regulations, these efforts have fallen short of those which would maximize protection. This resource also provides good explanations about the roles of various US departments in the effort to deter Cyber Crimes—including the DHS, DOD, FBI, NSA, and CIA.
CRS: The Economic Impact of Cyber-Attacks
Especially relevant during our current economic crisis, this CRS report provides vital information about the economic effects of cyber threats. The approach presented within compares economic consequences of problems to costs associated with preventing those problems. Some of the major areas of focus are on effects on stock prices and costs of infection of various types (including viruses, worms, etc.). These statistics are compared within the US and Globally. The final sections provide details on IT spending and possibilities for policy options.
U.S. Government - Other:
CSIS Commission on Cyber Security for the 44th Presidency Report : Securing Cyberspace for the 44th Presidency
“The CSIS Commission on Cybersecurity for the 44th Presidency has released its final report, ‘Securing Cyberspace for the 44th Presidency.’ The Commission’s three major findings are:
- Cybersecurity is now one of the major national security problems facing the United States;
- Decisions and actions must respect American values related to privacy and civil liberties; and
- Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.”
GAO Reports:
Coming soon…
Other Governments/ Foreign and International Organizations:
CEC: Cybercrime: The Council of Europe Convention
This report details the efforts of the Council of Europe’s Convention on Cybercrime. The treaty which was signed by 43 nations attempts to set standards for internet security and crime prevention. Some of the main points of the convention include:
- Define criminal offenses and sanctions under their domestic laws for
four categories of computer-related crimes. - Establish domestic procedures for detecting, investigating, and prosecuting computer crimes, and collecting electronic evidence of any criminal offense
- Establish a rapid and effective system for international cooperation
INTERPOL: IT security and crime prevention methods
This section of the INTERPOL website provides valuable background information and a workable plan to increase cyber security. They specify ways to identify and prevent various breaches from occurring. They clearly define the threats that may affect different platforms of internet devices such as handheld computers and network architectures. This resource is also helpful because it provides ideas which may be seen as international standards, so it provides a different perspective from many of the other reports.
Think Tanks/ NGOs / Academia:
CSIA: Data Security: Get the Facts
The Cyber Security Industry Alliance (CSIA) presents in this report definitions and explanations of various security problems one may encounter. The main topics of interest in this report include data breaches and identity theft, and these subjects are defined and explained in terms of the types of threats that they may pose. CSIA explains who may be affected by these problems, what has been done about them in the past, and what they feel should occur in the future to minimize problems. They specifically suggest that when proposing legislation, the government must create a law that… “require[s] reasonable security measures, encourage[s] best practices such as encryption, create[s] a consistent and recognizable notification standard, and include[s] effective enforcement capabilities.”
Industry Groups:
CSI: 2008 CSI Computer Crime and Security Survey
The 2008 CSI Computer Crime and Security Survey is a comprehensive study of various businesses around the country. The purpose is to identify and account for major trends in harmful IT activity and to evaluate and suggest best practices. The report additionally accounts for frequency and type of IT attack. Some of the major findings include:
- Financial fraud was the most expensive form of computer security issue, and cost, on average, an estimated $500,000
- Virus incidents were the most frequent problems faced by companies, and occurred in 49% of the respondent’s businesses
- 20% of responding organizations experienced a DNS incident
- 27% of respondents experienced an IT attack directed specifically at their institution
Companies:
McAfee: Initiative to Fight Cybercrime
Computer security software company McAfee has released a plan to fight cybercrime. They identify some of the key problems and suggest three major areas of focus to create the best possible cyber-security program: Technology and Innovation, Education and Awareness, and Legal Frameworks and Law Enforcement.
Some of McAfee’s specific suggestions include:
- Collaborating on projects within the security industry, including formalized research cooperation among the major security players
- Creation of easier forms of security for consumers to utilize
- Increasing education and awareness of available products and initiatives in addition to providing information on the actual effects of cyber crime
- Constantly updating and improving legislation to ensure that computer crimes are dealt with effectively
McAfee: Virtual Criminology Report: North American Study into Organized Crime and the Internet
This McAfee report takes a new class of criminals is exploiting the internet to carry out their scams. McAfee additionally provides some insights as to how to protect one’s system against these organized criminals and how these organized cyber-criminals may exploit personal, governmental, and industry computers. One other major component of this research report is the classification and explanation of various types of online security threats. The relevance of this article is heightened by Ralph Basham, Director of the United States Secret Service’s, comment that “Information is itself the target. Information is the World’s new currency.”
McAfee: Unsecured Economies: Protecting Vital Information
This important report is the first global study of the vulnerability of the world’s sensitive information and intellectual property. It approached the problem of cyber-security on international basis, with countries all over the world participating in the research. The study identifies patterns and assesses major global threats to IT security, and it also provides recommendations to asses the identified problems. The key findings of this global research project include:
- Valuable data is being moved—and lost
- The current economic downturn may be a perfect storm for security breaches
- Geopolitical perceptions have become a reality in information security policies
- Intellectual property is a new currency for cybercriminals
IBM: The Evolving Threat: Combat Training for the New Era of Malicious Code
IBM details the evolution of cyber threats by comparing some of the major previous problems to those which are emerging and are on the horizon. One of the main differences they document is the shift in purpose of attacks from more innocent types to more harmful attempts at stealing funds and valuable information. There are questions provided to assess whether or not one’s system has adequate protections, and there are detailed explanations of which types of protections are effective for particular threats. The report further details different types of infections, including:
- Designer Malware
- Spear Phishing
- Ransomware
- Root Kits
- Trojans
12.8.08
CSIS Commission on Cyber Security for the 44th Presidency Report : Securing Cyberspace for the 44th Presidency
“The CSIS Commission on Cybersecurity for the 44th Presidency has released its final report, ‘Securing Cyberspace for the 44th Presidency.’ The Commission’s three major findings are:
- Cybersecurity is now one of the major national security problems facing the United States;
- Decisions and actions must respect American values related to privacy and civil liberties; and
- Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.”
11.16.08
Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities (GAO-08-1157T)
“GAO has reported over the last several years that DHS has yet to fully satisfy its cybersecurity responsibilities. To address these shortfalls, GAO has made about 30 recommendations in the following key areas.
Table: Key Cybersecurity Areas Reviewed by GAO:
- Bolstering cyber analysis and warning capabilities.
- Reducing organizational inefficiencies.
- Completing actions identified during cyber exercises.
- Developing sector-specific plans that fully address all of the cyber-related criteria.
- Improving cybersecurity of infrastructure control systems (which are computer-based systems that monitor and control sensitive processes and physical functions).
- Strengthening DHS’s ability to help recover from Internet disruptions.”
11.9.08
DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise (GAO-08-825)
“Federal policies establish the Department of Homeland Security (DHS) as the focal point for the security of cyberspace. As part of its responsibilities, DHS is required to coordinate cyber attack exercises to strengthen public and private incident response capabilities. One major exercise program, called Cyber Storm, is a large-scale simulation of multiple concurrent cyber attacks involving the federal government, states, foreign governments, and private industry. To date, DHS has conducted Cyber Storm exercises in 2006 and 2008. GAO agreed to (1) identify the lessons that DHS learned from the first Cyber Storm exercise, (2) assess DHS's efforts to address the lessons learned from this exercise, and (3) identify key participants' views of their experiences during the second Cyber Storm exercise. To do so, GAO evaluated documentation of corrective activities and interviewed federal, state, and private sector officials.
As a result of its first Cyber Storm exercise, in February 2006, DHS identified eight lessons that had significant impact across sectors, agencies, and exercise participants. These lessons involved improving (1) the interagency coordination groups; (2) contingency planning, risk assessment, and roles and responsibilities; (3) integration of incidents across infrastructures; (4) access to information; (5) coordination of response activities; (6) strategic communications and public relations; (7) processes, tools, and technology; and (8) the exercise program. While DHS has demonstrated progress in addressing the lessons it learned from its first Cyber Storm exercise, more remains to be done to fully address the lessons.”