Insiders do not attack – instead they use legitimate accesses in support of their operations.
-- DARPA (US) Broad Agency Agreement for Project CINDER
Src: DARPA-BAA-10-84, Cyber Insider Threat (CINDER) Program | FedBizOps
Insiders do not attack – instead they use legitimate accesses in support of their operations.
As social media become more embedded in everyday society, the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions and social slips. But people will not abandon social media, nor will privacy disappear. They will simply work harder to carve out a space for privacy as they understand it and to maintain control, whether by using pseudonyms or speaking in code.
The root source of risk is dependence — dependence on system state, including dependence on expectations of system state reliability. Indeed, my definition of security has co-evolved with my understanding of risk and risk’s source, to where I currently define security as the absence of unmitigatable surprise. Thus, increasing dependence results in heightened difficulty in crafting mitigations. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
And that is the crux of the matter: our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable. That sounds more apocalyptic than I intend, but the competent risk manager always asks, “How bad could it be?” or, in the altogether American tortious style, “Who will have to pay?”
Thinking that there's no one else out there who knows the details of a given zero-day flaw is one of the things that leads to ridiculously long gaps between disclosure and the release of a patch. Even in the case of a vulnerability for which all of the details aren't public, a bit of information combined with a short window of time before a patch is available can give attackers the head start they need to launch mass exploits.
If you bury your head in the sand and you're unwilling to learn the methods of the bad guys you're more susceptible to fall for them.
I find it interesting to compare and contrast the differences in information security emphasise and skills across the world. In the USA, for example, it's clear that technology rules. In the UK, process is King. (Our legacy to the world is ISO 27000). In the rest of the World, however, it's generally people and culture that top the agenda.
I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time. [...] I mean we really have to think about these things as a society.
The thing [about social networking] that hasn't changed is the human factor. People are trusting of other people, especially if there is a request for help. One of the biggest things that worked for the Capture the Flag contest at Defcon was a contestant who said "Can you please help me with this?" Asking people for help, the human vulnerability, has not changed over the years [...] There is an inherent desire for people to help other people. There are trends of a positive nature, but they still get exploited. People are more security conscious today [...] The negative is we're so desensitized to certain attacks that we don't take notice to things that are occurring to us right under our nose.
It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.
It takes dozens of microprocessors running 100 million lines of code to get a premium car out of the driveway, and this software is only going to get more complex.
They’ll [i.e. hackers will] use the headlines of the day as bait. The malware will install itself on the user’s desktop or laptop, then dial out to another machine and say, ‘I’ve infected this organization, come do something.’
When a laptop is stolen, 99 percent of the time the [perpetrator] doesn't know he's got SSNs on it.
If I look at enough of your messaging and your location, and use Artificial Intelligence, we can predict where you are going to go.
Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the Internet? You've got Facebook photos!
[Information security] professionals today are required to quickly detect and understand relationships and patterns within information and data to enable accuracy, timeliness and reliability of information to decision-makers for effective response.
They need to understand the dynamics of their environment, gather metrics to know whether their controls are working, and then have the time to perform tool gap analysis to determine if a new technology or tool suite would fit better in their environment.
This calls for a complete situational awareness across technology silos that enables detection of complex information and data patterns to quicken response time within organizations.
Why do hackers succeed? They're lucky, they're patient and they're brilliant. They're also better funded than you.
The cybercrime ecosystem continues to thrive without the need for zero day flaws, and it will continue to as long as millions of end users continue getting exploited with 6+ months old flaws.
You guys made the cyber world look like the north German plain, and then you bitch and moan because you get invaded. We all get treated like Poland on the web, invaded from the west on even-numbered centuries, invaded from the east on odd-numbered centuries.
The inherent geography of this domain – everything plays to the offense. There's almost nothing inherent in the domain that plays to the defense. That really affects how you think about it when you're a GI.
We’re about to acquire a significant new cyber-vulnerability. The world’s energy utilities are starting to install hundreds of millions of ‘smart meters’ which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs andFrom the abstract section of a paper by Ross Anderson and Shailendra Fuloria entitled "Who controls the off switch?"
implementing rolling power cuts at times of supply shortage.
The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker – whether a hostile government agency, a terrorist organisation or even a militant environmental group – the ideal attack on a target country is to interrupt its citizens’ electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.
Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability[...]
Cyber is a domain like land, sea, air, and space. The difference is that God made four and you made the last one. God did a better job.
Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future...
While money has been the main driver for targeted attacks for some time now, recent developments have shown that attackers are now intent on keeping control of a compromised system for as long as possible and they're finding new and interesting ways to stay hidden all the time.
The potential for considerable profits is enticing to young criminals, and has resulted in the creation of a large underground economy known as the cyber underground. The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world, including a unique language, a set of expectations about its members’ conduct, and a system of stratification based on knowledge and skill, activities, and reputation.
One of the ways that cyber criminals communicate within the cyber underground is on website forums. It is on these forums that cyber criminals buy and sell login credentials (such as those for e-mail, social networking sites, or financial accounts); where they buy and sell phishing kits, malicious software, access to botnets; and victim social security numbers, credit cards, and other sensitive information. These criminals are increasingly professionalized, organized, and have unique or specialized skills.
You have to assume they're going to get in.
[...]
So, the art form here [i.e. dealing with the current attack landscape] is to figure out who's in your network, good or bad, figure out what they're doing, identify whether it is consistent with or contrary to all the policies you have to put in place to protect all of your information and systems. And, finally, once you determine if somebody is in there and doing something that you don't like ... figure out how to stop it, and figure out how to stop it quickly so that they don't do more than acceptable levels of harm. That's a new model; that's an entirely new prospect, and it requires new kinds of skills, new monitoring and controls technologies and new kinds of responses.
Eventually, virus writers will realize it is easier to make money by infecting phones than it is by infecting computers...
And, of course, there are more phones on this planet than there are computers.