Online security is also an example of a public good; costs are borne privately, but benefits are shared. When individuals weigh the cost of investing in antivirus software, they do not take into account the benefits of protecting other users from spam and advanced persistent threat attacks if their computers are infected with malware.
[...]
Innovative multistakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience.
Showing posts with label report. Show all posts
Showing posts with label report. Show all posts
QOTD - WEF - Online Security As Public Good
QOTD - WEF - Axioms for the Cyber Age
Axioms for the Cyber Age:
Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected.
The document (correctly IMO) summarizes the current state of affairs with respect to system security:
There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome “hackability” may be as hopeless as denying gravity.Src: Global Risks 2012 - Seventh Edition | World Economic Forum
QOTD - US Cyber Commander on Defending IT
On May 5, 2009, Army Lt. Gen. Keith Alexander, Director of NSA, and now poised to become new commander of the US Cyber Command, spoke before the Terrorism, Unconventional Threats, and Capabilities Subcommittee of the US House Armed Services Committee:
Src: Defending IT: Words from the New Military Cyber Commander | GovInfosecurity.com
Direct link to PDF of testimony
[The US must maintain] the capabilities to use cyberspace as a medium to deter, deny or defeat any adversary seeking to harm U.S. national and economic security; while ensuring actions are undertaken in a manner that protects our Constitutional liberties.[Emphasis is my own]
...
The rapid expansion and global dependence upon cyberspace required the Defense Department to evolve its warfighting doctrine to include cyberspace as a viable domain on par with the domains of the land, sea air and space. Cyberspace is unlike the other warfighting domains, it is a man-made technological phenomenon solely reliant upon human activity. The Department of Defense defines cyberspace as 'a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems and embedded processes and controllers.
...
More than the speed of the communications, the rate of change of cyberspace, and the applications that use it, is continuous, making this domain ever evolving. However, the convergence of communications devices being driven by cyberspace is fueling an integration that has far reaching consequences, both positive and negative, that must be appreciated if one is to understand this domain.
Src: Defending IT: Words from the New Military Cyber Commander | GovInfosecurity.com
Direct link to PDF of testimony
Andrew Jaquith on data breaches - laptops vs servers
Servers tend to be 8-10x more radioactive than endpoint computers -- Andrew Jaquith, ForresterEarlier today, I had the chance to read an email that Forrester's Andrew Jaquith had posted. I asked him if he would share some of this early research with the rest of the community and was happy to see that he did.
Mining the information contained in the the DatalossDB, Andrew found that while laptop-related breach reports grab the headlines, they often only cover a fraction of the number of records related to server breaches.
Src: Lost Laptops Get the Press; Server Breaches Cause More Stress | The Forrester Blog For Security & Risk Professionals
2009 The Year of Outsourcing Dangerously
This nine-page report on the dangers of outsourcing in 2009 is a must read for anyone whose organization is considering outsourcing options. It contains various nuggets of useful information from a ranked list of best (& worst countries) as well as an assessment of various offshore locations (safe vs risky) across ten areas:
Direct link: 2009 The Year of Outsourcing Dangerously (PDF)
- Support for capitalism
- Corruption & organized crime
- Geopolitical conditions
- Economy & currency
- Law enforcement
- IT infrastructure
- Environmental laws
- Terrorism
- Maturity of legal system
- Climate
Direct link: 2009 The Year of Outsourcing Dangerously (PDF)
Cyberwar QOTD and Consensus Audit Guidelines
Amid much anticipation and press, a conglomerate of US agencies (incl. NSA, US-CERT, DoD) and the SANS Institute have released the Consensus Audit Guidelines (CAG). John Gilligan, CAG project leader and former CIO for both the USAF and DOE, said:
We are in a war, a cyber war, and the federal government is one of many large organizations that are being targeted...The CAG is comprised of 20 controls, with 1-15 being automatable.
Our ability, at present, to be able to detect and defend against these attacks is really quite weak in many cases.
- Inventory of Authorized and Unauthorized Hardware
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software For Which Such Configurations Are Available
- Secure Configurations of Network Devices Such as Firewalls And Routers
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols, and Services
- Wireless Device Control
- Data Leakage Protection
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Assured Data Backups
- Security Skills Assessment and Training to Fill Gaps
McAfee Report - Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime
A report released today (January 29, 2008) and sponsored by McAfee warns of the risks that the global recession pose to intellectual property and security: businesses risk losing over $1 trillion from loss or theft of data and other cybercrime.
Here are highlights of the research, conducted by Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS):
Src: McAfee
Here are highlights of the research, conducted by Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS):
- Recession puts intellectual property at risk
- Commitment to protecting vital information varies
- Intellectual property is now an international currency
"Cybercriminals are increasingly targeting executives using sophisticated phishing techniques" - Employees steal intellectual property for financial gain and competitive advantage
- Geographic threats to intellectual property
Src: McAfee
Websense report - State of Internet Security Q3-Q4 2008
Digesting the latest report from Websense reveals a bleak picture for the 2nd half of 2008. Let's review the findings and elaborate:
Src: State of Internet Security Q3-Q4 2008 | Websense
77 percent of Web sites with malicious code are legitimate sites that have been compromised.Meaning that instead of primarily registering new sites, attackers are instead choosing to compromise existing ones.
70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.Attackers are choosing to compromise the very sites that people use frequently and normally trust (e.g. CNET Networks, BusinessWeek.com, BillOReilly.com, the New York Times, Facebook, Twitter)
sites that allow user-generated content comprise the majority of the top 50 mostWeb 2.0 allows for rich interactions with other users and content. However, it also provides hackers with powerful means to infect new machines by taking advantage of the dynamic and rich nature of the content that can be served (i.e. scripting).
active distributors of malicious content.
57 percent of data-stealing attacks are conducted over the Web (a 24% increase)The web has become the new weapon of choice for hackers, allowing massive theft of data, distributed over numerous law enforcement jurisdictions, making it hard to quickly investigate and prosecute.
The Web Remains the Number-One Attack VectorThe top 10 web attack vectors are not surprisingly centered around browser vulnerabilities, flaws with media software (PDF, Flash, ActiveX, RealPlayer, QuickTime), social engineering, third-party apps, and DNS weaknesses.
Src: State of Internet Security Q3-Q4 2008 | Websense
McAfee 2009 Threat Predictions
The McAfee 2009 Threat Predictions report just issued paints a grim picture of malware reality as it stands today - "We have seen more malware in the past 12 months than ever before."
In 2008, 1.5 million pieces of malware were identified; that's 171 new pieces of malware detected every hour (2.85 every minute). "Malware is a business, and that business is thriving."
Src: 2009 Threat Predictions | McAfee
In 2008, 1.5 million pieces of malware were identified; that's 171 new pieces of malware detected every hour (2.85 every minute). "Malware is a business, and that business is thriving."
Src: 2009 Threat Predictions | McAfee
The 7 Reasons why Businesses are Insecure!
Several times a year students and area businesses ask me how did we end up in such a precarious information security situation. The answer - doing nothing and pretending it's all going to go away. The cure - have a plan, involving management, education, policies, and practice incident response.
The article below goes into more details on each of these points and more.
Src: The 7 Reasons why Businesses are Insecure! | Beast or Buddha Blog
One more resource on this subject, educating upper-management as to the cyber risks, comes from the the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). Earlier this year, they released a new guide to assist business executives in the analysis, management and transfer of financial risk related to a cyber attack.
Src: http://webstore.ansi.org/cybersecurity
The article below goes into more details on each of these points and more.
Src: The 7 Reasons why Businesses are Insecure! | Beast or Buddha Blog
One more resource on this subject, educating upper-management as to the cyber risks, comes from the the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). Earlier this year, they released a new guide to assist business executives in the analysis, management and transfer of financial risk related to a cyber attack.
Src: http://webstore.ansi.org/cybersecurity
Cisco Report: Hackers Will Be Bolder, Smarter, Craftier in 2009
Not quite the rosy picture for 2009, the Cisco Annual Security Report should be a wake up call to all in the security sphere. Ready your defenses...
Who can you trust? [insert name of trusted site here] - Are you sure?
More including videos at CNN Money
Who can you trust?
Targeted attacks and blended, cross-vector assaults, along with a 90 percent growth in threats originating from legitimate domainsA cloudy forecast for Web 2.0:
Internet criminals have staked out new attack vectors this year based on the use of Web-based services reached through standard browsers.Raising an army of machines:
Attacks using botnets, social engineering and reputation hijacking became noticeably more prevalent.But the network is secure, right?
The edge of the network is expanding rapidly, and the increasing number of devices and applications in use can make the expanding network more susceptible to new threats.And for the finale, some philosophy about security:
Human nature rules, and security decisions by corporations are sometimes only made after a problem develops.Src: Hackers Will Be Bolder, Smarter, Craftier in 2009 | Technewsworld.com
More including videos at CNN Money
Gartner Identifies Top 30 Countries for Offshore Services in 2008
It's about time that security and privacy be factored into offshoring decisions. My own experience has been that one person's culture impacts his/her grasp of security and privacy. Some cultures have bartering concepts built every aspects of life and therefore may not offer the level of robustness-against-bribery that might be expected. Anyone heard of "baksheesh?"
The Gartner report ranks countries based on 10 criteria, which include: language, government support, labor pool, infrastructure, educational system, cost, political and economic environment, cultural compatibility, global and legal maturity, and data and intellectual property security and privacy.
Src: Gartner Identifies Top 30 Countries for Offshore Services in 2008
The Gartner report ranks countries based on 10 criteria, which include: language, government support, labor pool, infrastructure, educational system, cost, political and economic environment, cultural compatibility, global and legal maturity, and data and intellectual property security and privacy.
Src: Gartner Identifies Top 30 Countries for Offshore Services in 2008
Biggest Security Threat becomes Human Factor
Two stories published within days of each other reporting on the current biggest challenge: the human factor. At least one of my fellow bloggers, Jeff Evenson over at CulturedSecurity.com has made the human factor in security the focus of his writings.
The security threats have "more to do with human error and the usability of advanced authentication systems than any technical security problem." -- AlZomai (Web banking risk down to human error)
and
"Human error has become the biggest security concern for IT directors." -- Research report from Secure Computing (VUNet)
The security threats have "more to do with human error and the usability of advanced authentication systems than any technical security problem." -- AlZomai (Web banking risk down to human error)
and
"Human error has become the biggest security concern for IT directors." -- Research report from Secure Computing (VUNet)
RSA finds Huge Cache of Stolen Financial Data
The RBN (Russian Business Network) is reportedly behind one of the greatest repository of stolen financial information. According to the RSA FraudAction Research Lab, it uncovered more than a half million credit card numbers and online bank account logins and passwords, apparently acquired by the RBN over the past 2.5 years.
Malware has increased in complexity and capability; the Sinowal trojan used in this attack can show the user a fake login page, luring the user to provide valid credentials which are then transmitted by the malware to a server in a remote location/country.
A Huge Cache of Stolen Financial Data - Bits Blog - NYTimes.com
Malware has increased in complexity and capability; the Sinowal trojan used in this attack can show the user a fake login page, luring the user to provide valid credentials which are then transmitted by the malware to a server in a remote location/country.
A Huge Cache of Stolen Financial Data - Bits Blog - NYTimes.com
Sophos Security Threat 2008 Mid-Year Report
Highlights for the first six months of 2008 (Src: Sophos Security Threat 2008 Mid-Year Report):
- Over 11 million different malware threats are known to exist
- SQL injection attacks on web sites are the biggest threat today
- Every 5 seconds a new web page is discovered to be infected
- 97% of all email is spam
- Blogger is the top host for malware - strange given the limited features of this Google-owned site.
Minority Report Version 2008
The US Department of Homeland Security wants to improve safety by reading your thoughts. Nice concept except that it can easily be defeated by terrorists finding a patsy who will obviously pass the "hostile thoughts" test.
Schneier's Blog Entry on Thoughtcrime
New Scientist's Original Story
Schneier's Blog Entry on Thoughtcrime
New Scientist's Original Story
Subscribe to:
Posts (Atom)
