Posts Tagged ‘information security’
Current events for Beth’s class
Beth Chalecki asked me to give a talk on cyber security for her course at Boston College. While I won’t post the slide deck here, I will compile a reading list on the blog. I’d like to note that the blogroll at right includes several of the big names in the field: Bruce Schneier, C. Warren Axelrod, Ross Anderson, David Rice, Alessandro Acquisti, and others.
Documents
- National Strategy to Secure Cyberspace (US-CERT)
- Cyberspace Policy Review (White House Office of Cybersecurity)
- Presidential Decision Directive 63 (Clinton via FAS)
- US Cyber Command fact sheet and website
News items
- Stuxnet
- Ghostnet
- Estonia
- Georgia
- Rod Beckstrom
- Howard Schmidt
- William Lynn discusses the cyber domain in Foreign Affairs
Academic works
- Technology, Policy, Law and Ethics Regarding US Acquisition of Cyberattack Capabilities (Owens, Dam and Lin, eds.), full text at Macarthur Foundation
- Proceedings of a Workshop on Deterring Cyber Attacks (National Research Council Committee on Deterring Cyberattacks, Steinbruner, chair) *
- Building Security In (Gary McGraw and US-CERT)
- Cyber Warfare and Cyber Terrorism (Janczewski and Colarik, eds.)
- Cyberpower and National Security (Kramer, Starr and Wentz, eds.)
- Cyberpower (Nye)
- Cybersecurity Agenda (EastWest Institute)
- Commission on Cybersecurity for the 44th Presidency and their final report
- International Guide to Cyber Security (Westby)
* Beth: if you’d like to tackle cyber deterrence, Lukasik’s conference paper in these Proceedings (eds. Steinbruner et al., 2010, pp 99-111) is an interesting departure point for debate.
Fuzzy Thinking on African Botnets
I call “bull.” African botnets are not WMD, and the solution to African botnets is not to prosecute the lucky few who have computers there. Franz-Stefan Gady is completely out of touch with the realities of IT in Africa. The last thing African governments need is shunt scarce resources into prosecuting cyber criminals, particularly within their own borders. Please do something more useful with whatever resources you have: support export industries, build infrastructure, build a call center or an export processing zone, make jobs, and provide education and health care.
Honestly. Beefed up law enforcement? Where does Gady think most infections in Africa originate? Why would he presume that the botnets are home-grown?
Governments should find ways to make legitimate software available at prices users can afford. That means not taxing software imports, encouraging the use of free and open source software, and ensuring broadband access. Yes, greater bandwidth, and not less bandwidth, is crucial to safer computing. Bandwidth will give end users access to security updates and current virus databases that are prohibitively difficult to download when connections are slow.
60 minutes covers cyberwar
Steve Kroft of 60 minutes covers cyberwar from the perspective of computer network operations and critical infrastructure. It is a welcome change from the usual fare of robotic weapons, web defacement, and online chat group flame wars. The video and transcript are available at 60 minutes. Well worth the watch.
Where do spam statistics come from?
Microsoft’s Security Intelligence Report seems to be the source of commonly quoted statistics about spam’s share of internet traffic. The ominous 97% figure is the fraction of email messages that are blocked by automated spam filters.
The point of the statistic is not that spammers have overwhelmed the Internet’s fragile bandwidth; but rather that using email without enterprise-class spam filters is all but impossible. Spam is generated in huge volumes to overwhelm spam filters, and it coevolves with spam filtering software.
According to a recent Cisco report, email and Web traffic account for somewhat less than 1/3 of total IP traffic. (That report includes projections out to 2013 and annualized growth forecasts.) So spammers aren’t going to break the Internet; rather, the aggressive growth of video, gaming, mobile data usage, and file sharing are changing the way network administrators monitor and shape traffic.
Two caveats to the Microsoft 97% spam statistic:
- It is published by a vendor.
- Other spam filters are not included in the survey.
For more on the description of the filters and the methods, you can visit the site and download the whole report. http://www.microsoft.com/security/portal/Threat/SIR.aspx
Also Telegeography has excellent free resources on international bandwidth and data traffic.
How much data theft is a lot?
One question I find myself answering frequently is “How much data is stolen?” Put differently, friends and colleagues want to know how much data theft qualifies as a lot, or too much. Often people have the belief that they would already be aware of the problem if it was truly widespread. Thanks to legislation forcing companies to disclose losses to customers, it is now possible to track data breaches that affect consumers.
Privacy Rights Clearinghouse publishes a list of data breaches.
The related question is more difficult to answer: “What does it cost the victims?” The answer to that question depends greatly on the type of measures you use. Do you only count the actual dollars lost to fraud, such as credit card and ATM fraud? Does it matter whether the bank or the customer bears the losses? Can we measure the impact of corporate espionage on business? What value should we assign to personal reputations and corporate brands? Many companies are out there providing expert analysis on exactly this subject, but there is no single, best, universal metric to determine the value of a cyber attack.
Spy uses subcontractors for access
Supply chain penetration is a vulnerability that has been in the news a lot recently. Corporations and governments know that IT systems hold the keys to the kingdom, but so far they have not been able to batten down the hatches of the supply chain. Corporations don’t want information about these types of problems to become public, so we should not look at these problems as some type of anomaly. These are just a few incidents that have made it into the press recently.
Iranian espionage case posted on ZDNet.
Following Pakistan’s recently introduced “Prevention of Electronic Crimes Ordinance 2008” according to which potential cyberterrorists would face the death penalty, a neighboring country, Iran, has recently executed an IT expert who confessed of being an Israeli spy for at least three years. After being recruited by Mossad during a business trip, Ali Ashtari, a trusted supplier of electronic and military equipment for the Iranian government, was allowing Israeli intelligence agents to backdoor the equipment he would later on install in Iranian military and government centers.
