You would have to not be connected to the Internet to have missed the discussions about the cuts that will befall the Defense Department as Washington moves to rein in the budget deficit. Just as that news started circulating, so did reports that cyber budgets wouldn't be touched. As more people became aware of the reported protection for cyber budgets, it seemed that many new private sector organizations rapidly began their journey to the budgetary safeguards of what might be called the cyber defense industry.
New organizations sprang to life, new service offerings were announced and information began to be purposely leaked about new product pipelines. In September we saw the infamous bubble chart, which was made famous by Gartner, depicting the cyber defense industry offerings of the private sector. Vendors are rushing to differentiate themselves and stand out from the rest of the pack. One went as far as to develop a specific product offering that would have you believe it was either given inside information or knew more than the National Security Agency.
In addition, industry analysts began selling for several thousands of dollars their insights into what they believe would be the rapid growth of this new defense industry sector. There are event executive white papers and reports on the cyber defense industry. Add to that the significant increase in the number of conferences about cyber warfare and conflicts that have been scheduled and it is clear the cyber gold rush is on. These efforts are not just happening in the United States but around the world as the cyber arms race accelerates.
Posted on Nov 03, 2011 at 7:23 AM0 comments
A short time ago a new piece of malicious code dubbed Duqu was discovered across Europe. Upon initial investigation, the code was classified as a virus and seemed to be programmed to target critical infrastructure providers. Upon further investigation, similarities were discovered to the Stuxnet code that attacked Iran’s nuclear program in 2010 damaging Iran’s uranium enrichment processing and the centrifuges to create nuclear materials.
Researchers claimed that this new malicious program used much of the same code as the 2010 Stuxnet virus did. The biggest difference was that the code now being called Stuxnet 2 covertly penetrated sensitive systems and conducted cyber reconnaissance on control systems and created a back door that would allow for exploitation at a future time of the cyberattackers choosing.
Cyber intelligence sources I spoke with had a few issues with some of the claims being made about this cyberattack. For instance, the actual source code from the original Stuxnet has not been verified as such, and never openly released, and some portions are even encrypted. So how can they make the claim this was based on the original Stuxnet code?
Our source went on to say that it is more likely that the new strain was the result of reverse engineering based on the analysis of what the original Stuxnet actual did, even though that would still be an incomplete data set. So the linking between these two should be suspect at this point. Another source I checked with was quite upset that some have claimed that those behind the original Stuxnet (said to be Israel, Britain and the United States) were behind Stuxnet 2. Where is the hard evidence? As with all cyberattacks, attribution requires carful cyber forensics and analysis tied to hard cyber intelligence rather than the rush to judgment that all too often accompanies these incidents.
Posted on Oct 27, 2011 at 9:48 AM1 comments
You have undoubtedly seen the headlines about the Security and Exchange Commission’s (SEC) new cyberattack disclosure requirements. The new requirements help publicly traded companies determine when they need to disclose that they have been the target of a cyberattack. The new requirements basically force publicly traded companies in the United States to report cyber incidents that could have a material influence on their business. The recent SEC guidance is an expression of the relative significance a cyberattack has on an organization.
In the cyberattack context, material impact can be generally defined as a cyber incident of significance that is likely to have a negative influence on the organization to the level where it will influence the company’s stock. At this time, there appear to be several rules that have been used in practice and academia to quantify or measure materiality. Two common methods of determining this are a percentage of the company’s total assets and a percentage of the company’s total revenue.
So let’s examine this for a moment. If a $2 billion company was hit by a cyberattack and materiality was defined as a mere five percent of the organization’s revenues, then the total cost of the attack would need to be $100 million for it to be reported. Imagine if the value of the company was the size of major defense contractors such as General Dynamics or Northrop Grumman. Both are worth tens of billions of dollars and both have been victims of cyberattacks in the last two years, according to media reports. Because of this, I don’t think we will be seeing many disclosures due to the reporting requirement.
Posted on Oct 20, 2011 at 7:32 AM0 comments
It is surprising just how many people are unaware that October has been designated Cybersecurity Awareness Month. We have become dependent on the Internet and computer systems in our everyday lives. Current cybersecurity practices are highly inadequate.
Some have said that cybersecurity practitioners have simply forgotten about the users. Cybersecurity efforts are viewed as inhibiting users from doing what they feel they need to do. When it comes to users, cybersecurity practitioners need to view users as much more than just an account or a set of user names and passwords. Users must become a partner, and also a source of cyber threat intelligence. After all, users are on the front line each and every day.
It's essential that we do a much better job of making the general user population aware of the cybersecurity threats they face on a regular basis. It can’t just be this month. We must keep this in the front of users on a regular basis – perhaps monthly. Think about how dynamic this field is and how frequently new tricks and techniques appear.
Some suggestions are.
Encourage users to report strange e-mails they receive, and make them feel part of the solution.
Keep cybersecurity in the minds of users by using an internal security marketing campaign.
When a cybersecurity incident occurs, stop beating the user over the head when he or she makes a mistake.
Taking these three steps will not make all the security challenges we face go away. However, they will put the users on your side.
Posted on Oct 13, 2011 at 1:45 PM0 comments