If you didn't get a chance to catch this the other night
Thoughts and comments?
Are we seeing a cyber weapon proliferation similar to the nuclear weapons growth of the 50's and 60's?
Cyber weapon proliferation? How so?
The fact of the matter is that attacks…low grade ones, reportedly…have been detected. But that only means that those monitoring the networks were able to detect those attacks, and it doesn't account for *all* attacks.
What about attacks to the financial system, such as what results in a PCI forensic assessment being conducted? Don't the theft of massive numbers of credit card number constitute, on the whole, a national security threat?
Given that the most recent Verizon Business Security report states that 69% of the investigated breaches were initiated by third party notification, what do we know about who's watching the critical infrastructure networks? How well and often trained are they?
There's simply too much left unsaid, IMHO…
"Cyber weapon proliferation? How so?"
My concern is a coordinated sophisticated attack across multiple business, government and military digital infrastructures from a foreign source. As the methods and tools become a higher grade are we not looking a potential electronic Pearl Harbor from a foreign entity?
Doug,
I would suggest that we're already seeing coordinated attacks across some businesses…just look at PCI. However, I would also suggest to you that there really isn't a great deal of need for a high level of sophistication. Again, I refer you to the most recent Verizon Business Security report.
Perhaps more topically, in a recent engagement, a web page defaced by a bot. The admins argued that FrontPage was not installed, but lo and behold, right there in the image was the application…all of the files and Registry entries, including the author.dll file that was actually exploited. And still, the admins insisted the FPSE was not installed…
Harlan I agree that the level of skill does not need to be sophisticated - that is of great concern in itself. What I am emphasizing is that the attempt of a coordinated effort would be a problem. I think there would be skill necessary to carry out larger wide spread attacks across multiple areas even if the individual attacks are targeted at weaker and improperly secured systems.
I guess just from seeing these security issues on a daily basis I get that "gut feeling" there is going to be a big indecent that makes people really address these issues. Do we need to impose penalties for weak systems? Would some kind of electronic trade embargo against weak networks help? You can lead a horse to water, but sometimes you have to grab its head by the reins and make it drink.
I guess just from seeing these security issues on a daily basis I get that "gut feeling" there is going to be a big indecent that makes people really address these issues.
There already has been; a few as a matter of fact. And the Federal response has been underwhelming. Shawn Carpenter and the Titan Rain incident is probably the most well publicized but there have been others, including some very recently, that suggest that there are "trial runs" being executed in preparation for a much more serious attack.
One of the problems is the relative lack of expertise of those who are in charge of our government's response to such incidents. Being head of an IT department, even head of IT security doesn't necessarily prepare you for this type of work and being a politician almost excludes you.
Another problem is the lack of treaties with foreign governments whose citizens are sometimes the "proximate" cause of these attacks. And these are countries who share our concerns, not to mention those countries where the government is so corrupt that they actually turn a blind eye to these issues.
Additionally, US law is a mishmash with respect to a coordinated response to such attacks. For example, many of these attacks are against private institutions which have limited remedies in the civil judicial system by which to investigate. As a result, they must depend upon law enforcement whose interests are not, necessarily, aligned with that of the corporate victim.
You have ISPs out there who offer cheap, unmanaged web, e-mail and other services and who do nothing to verify the identity of their account holders, many of whom use stolen credit card data to lease space. Some ISPs (including some in the US) actually make a business out of registering domain names using fake credentials in order to hide from ARIN the names of the actual domain holders.
Most states don't allow cars on the highways without inspections and basic safety features, but many ISPs don't care whether you have the latest Service Packs, hotfixes and antimalware. They let you on, anyway (and this doesn't begin to deal with the many problems in the security of popular OSes and applications).
The private sector has no interest in making their issues known to the public. As a result, investigators working for private sector clients have a lot of data about existing bots, command and control sites, etc., but they can't disclose these out of fear of exposing their clients to bad publicity.
The current laws require ISPs to keep log data for only 90 days. This can be insufficient time to escalate a civil investigation to the point of a criminal investigation and still have a warm trail.
In many cases, Law Enforcement assesses the importance of case to the actual losses. This means that companies that detect intrusions and quickly act to mitigate the damages are actually penalized in terms of the urgency and importance assigned their case. You mention kiddie porn and you'll have the entire bureau sweeping down on you but try to get them interested in Internet theft of PII and forget it.
I could go on but it would be pointless. As mentioned, earlier, none of these issues require a high tech approach and none require a significant loss of personal privacy to mitigate. But it requires the political will to approach the problems, the cooperation of the public and private sectors, a means by which information can be shared between government and civilian investigators without exposing businesses to damaging publicity, and greater monitoring of threats and potential threats than what is going on, today.
Endpoint security is not sufficient and would not be even if it was universally deployed. But right now, that is what most individuals and organizations are focused on.
Do we need to impose penalties for weak systems?
Undoubtedly. You can't walk into a Federal building without passing a metal detector. You can't drive a car or fly a plane without a license. There are many other examples of simple measures to help insure a minimal level of compliance with standards. In contrast, any moron (and worse, any miscreant), can get on the Internet and, as we have seen, it doesn't take much to be disruptive.
Would some kind of electronic trade embargo against weak networks help? You can lead a horse to water, but sometimes you have to grab its head by the reins and make it drink.
Why not? There are autonomous systems out there that have little or no value with respect to legitimate content or services; we should refuse to peer with them. Those AS and networks belong to or located within governments known to be hostile to US should be required to demonstrate why they should be allowed to peer with us.
A few months back, the Washington Post documented a case where users of a financial network had been, briefly, diverted to a site in the Ukraine. The problem was quickly identified and corrected. What was troubling was the fact that this site in the Ukraine had been documented by investigators at SANS and other places, as a hosting site for known malware, at least SIX months before this incident occurred.
The first thing that struck me in reading about this is Why was ANY ISP in the US still allowing traffic to this IP/AS when it was documented to the the source of malware? If this information was known by SANS (and others), why wasn't the network blocked until such time as it could demonstrate that the source of the malware had been eliminated.
Each day this site is updated with known sources of malware
http//
So why don't the ISPs find the CIDR of the network on which these sites are located and block the whole thing until such time as the network can demonstrate that it has no tolerance for purveyors of malware?
Better still, blacklist all networks until they can demonstrate that they have something of value to offer and are willing to police their users.
Sean, great perspectives. Ultimately I would love to see proactive measures taken to secure "digital borders" instead of the often passive wait and respond modes. It is just getting beyond frustrating that for 25+ years these issues are still prevalent corporations with secrecy about incidents, under funded law enforcement to deal with incidents, government bodies fighting with each other and politicians bullet pointing the issues for a sound bites.
Let's pull "The Hacker Crackdown" from the shelf. Well what do you know - same issues that we see today occurring in 1982 to the big year of 1988. It is beyond the Emperor Has No Clothes - we can point out all these issues over and over again but it seems insane that we have to wait for a national public problem to be on the news for more than 4 hours before something is done.
What are peoples thoughts on a SEC like agency that overseas electronic communications in the US enforcing policy that large tier networks maintain specific security measures or have certain traffic halted until doing so. I am no fan of larger government of involvement on many levels, but when it comes to securing the borders and enforcing laws this becomes a logistical necessity that is better handled by a government body.
What are peoples thoughts on a SEC like agency that overseas electronic communications in the US enforcing policy that large tier networks maintain specific security measures or have certain traffic halted until doing so. I am no fan of larger government of involvement on many levels, but when it comes to securing the borders and enforcing laws this becomes a logistical necessity that is better handled by a government body.
I think that something of this nature will be necessary. It would not take much to undermine confidence in the entire system of electronic commerce just as the events of 9/11 changed people's attitudes toward air travel. Even the kind of lockdown that we saw with the Morris worm would cost hundreds of millions of dollars in damage, today.
Another issue that we have to deal with is the difference in privacy laws around the world. In some instances, EU electronic privacy laws are stricter than our in the US which makes collaboration with EU law enforcement difficult. In a case that I worked on, the State Department had to get involved in negotiations with three different European countries over information sharing in a criminal investigation, and these were "friendly" countries.
Also, many call centers are outsourced to countries with more lax privacy laws and, in some cases, Third World economies. In one case, we suspected a data breach at foreign call center after we were able to determine that the same computer used to handle call center calls (where sensitive information was handled, including my client's), had also been used to post messages to various social networks and news groups. In one of those forums, an individual with the same name as the customer service rep was posting to a jobs BBS looking for employment and complaining that they weren't being paid enough at their current job (which they identified as being a call center supporting US businesses).
Some companies that outsource this work do their due diligence. But others are simply looking to save costs and have no ability to really inspect the operations of these offshore centers.
Some large financial firms outsource their call centers to firms in Asia where there are practically no privacy provisions pertaining to the data of non-citizens. Some of this needs to be more heavily regulated and I think that the Feds are the only entity capable of doing it.
The other places to put more attention are US educational institutions. These need to be provided with the tools to detect intrusions, to monitor and detect patterns of unusual activity and to share information with each other about possible evolving exploits. Many educational institutions are not equipped to detect the low level of activity that can be a signature of a quiescent BOT network.
Thus, the Department of Education may need to become more involved in the certification and accreditation of campus information infrastructures, just as the JCAHO looks at hospital information systems when accrediting hospitals.
Forget outsourced call centers for the financial industry.
How about outsourced infrastructure security for the backbones of the financial industry, where the SOC, Tier 1 and 2 are in a foreign country?
Enforcing security across legal boundaries is a true quagmire.