Cyber attacks from individuals, organized crime, extremist groups, terrorists as well as nation states pose a significant threat to the national security of the United States. While many believe that this is a government issue, closer analysis of the problem suggests otherwise. Any computer that is not properly protected can be compromised and used as a weapon against the system owner, businesses and our economy, the nation’s infrastructure or in some rare cases our defenses. Personal, business and government systems are constantly under attack and the frequency and sophistication of the attacks is rapidly increasing.
The number of new computer systems threat skyrocketed nearly 570 percent from those identified in 2006. According to one 2007 computer security study, the average annual loss reported by U.S. companies increased by nearly 210 percent to $350,424 (per occurence) in 2007. The top three primary sources of loss were financial fraud, losses due to computer virus and system penetration by outsiders. About 20 percent of the companies reporting security incidents said they have fallen victim to targeted malware attacks. Nearly 1.2 million different pieces of malware have been identified and reside in the malware repository. Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. The term is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, destructive, intrusive, or annoying software. The bad news is malware is just one of the many threats to computers, systems and networks.
A reader of the blog asked me “Why with all the U.S. technological expertise are we so vulnerable to these threats?” That is a great question. Considering a recent report suggested that around 90 percent of breaches could have been prevented, why are our computer systems so at risk?
After giving this a fair amount of thought I came to the following realization. It is our attitude! For some reason there is an abundance of “I know more than they do” types in information security. If that is not bad enough, the second most prominent attitude is “It can’t happen here” followed closely by “I will address it when it happens to me.”
Example 1 – A $13 billion publically traded corporation has five full time staff assigned to information security. When I asked the Director how he spent his time he said by far most was in the Human Resources Department and with corporate lawyers.
Example 2 – A systems design and development organization that services part of our nation’s infrastructure was briefed on the issues and threats of cyber attack. Numerous examples were provided to that organization that showed their industry had already experienced cyber attacks. In addition, a high level overview of their operational procedures resulted in the identification of two critical vulnerabilities that exposed the systems to compromise. The organization addressed one of those issues and decided to take a wait and see approach to addressing the other.
Example 3 – A security consulting firm contacted me as an advisor. They were brought in to review security and recommend changes of a publically traded company. During their work they discovered the company had been breached. They had found a “bot” attached to an Oracle database. The “bot” collected information about the manufacturing cost of the company’s products. They approached the CIO with the facts and the Sarbanes-Oxley issues, he refused to communicate the issue to the senior executives and then cancelled their contract.
Well, we don’t know more than all the hackers do. This is a highly dynamic threat environment that even the top security professional say is “challenging.” The “it can’t happen here” attitude is insane. One veteran US Special Agent in cybercrime investigation publically stated how companies do their best to cover up corporate espionage and insider theft. He went on to say he had seen entire corporate networks of over 100,000 systems completely compromised and hundreds of thousands of files exfiltrated and not disclosed. The fact is, if all system breaches were reported the security metrics would be much worse that the ones reported earlier here. So it not only can happen here, it probably already did and got covered up.
[From Covering Up Cyber Assaults]
Browsing Posts published on July 2, 2008
New research could allow ISPs to selectively block or slow down your encrypted traffic even if they cannot snoop on your transmitted data. Italian researchers have found a way to categorize the type of traffic that is hidden inside an encrypted SSH session to around 90% accuracy. They are achieving this by analyzing packet sizes and inter-packet intervals instead of looking at the content itself. Challenges remain for ISPs to implement this technology, but it’s clear that encrypting your traffic inside an SSH session or VPN connection is not a solution to protect net neutrality.
The FBI has confirmed to Popular Mechanics that it’s not only adding palm prints to its criminal records, but preparing to balloon its repository of photos, which an agency official says ‘could be the basis for our facial recognition.’ It’s all part of a new biometric software system that could store millions of iris scans within 10 years and has privacy advocates crying foul. Quoting: ‘The FBI’s Next Generation Identification (NGI) system, which could cost as much as $1 billion over its 10-year life cycle, will create an unprecedented database of biometric markers, such as facial images and iris scans. For criminal investigators, NGI could be as useful as DNA some day — a distinctive scar or a lopsided jaw line could mean the difference between a cold case and closed one. And for privacy watchdogs, it’s a dual threat — seen as a step toward a police state, and a gold mine of personal data waiting to be plundered by cyber criminals.
My favorite group of federal Darwin Candidates are at it again.
Although its features and terminology may seem strange if you’re used to more traditional Linux filesystems, ZFS offers a great deal of flexibility.
[From ZFS on FUSE]
