Wednesday

Column: Cyber Attacks the Reality, the Reason and the Resolution Part 3


The smart phone may be the go-to personal control device that will multiply security access privileges under a single authentication. Photo from Shutterstock

June 19, 2013 By

We are connecting digital intelligence to our homes, businesses, critical infrastructure and national defense at such staggering rates that we had to come up with methods of collecting "big data." Individuals now have the ability to access terabytes of information, millions of apps and thousands of devices that have the potential of activating critical processes at the touch of a screen. Security has been a continual afterthought even in areas as sensitive as our power grid. Even when security is responsibly deployed, breaches still happen, disclosing the weaknesses of current security solutions. There is no one-size-fits-all in cyber solutions. Instead, the best of the pieces are assembled to achieve the best possible security. Here are some good pieces of the security puzzle that when put together, offer resolution to the big problems faced today in cyberattacks.

Securing the End Points


Whether you want to secure your private conversations or a corporate database, you must first have a way to authenticate the human or machine initiating action. Sadly, this needs a lot of work. Fortunately, there is a lot of available technology to choose from.

With the password being just about dead, companies are reaching for other ways to effectively authenticate and validate this all-important initial process: access. From biometric human authentication to encrypted nano-sensors offering machine location-based identifiers, we have the technologies to securely authenticate the start of just about anything. With the computing power and popularity of BYOD, the smart phone may be the go-to personal control device that will multiply security access privileges under a single authentication. We are now just beginning to deploy apps and chip sets supporting these authentication capabilities.

When we communicate to a machine, the security beginning and end point is not a port or cable connected to some device. The points are often very complex microchips with coded processes within themselves. These trusted computer chips like BYOD devices can become part of the solution in cybersecurity -- and part of the problem.

Don Thompson, CEO of MerlinCryption explains the potential threat of microchip foul play in cybersecurity. "Embedding malicious code or 'back doors' into microchips is a growing trend in espionage," says Thompson, "The rogue chip conspiratorially communicates critical intelligence back to its criminal host. It is paramount to procure only tamper-proof USA-made chips to be used in developing the circuit board, then reinforce the device with robust encryption. End-point encryption, coupled with multi-factor authentication thwarts attacks against data.”

Securing Data in Motion


The most common solution of moving secured information over the Internet is through Virtual Private Networks (VPN). A VPN extends a private network across public networks like the Internet by establishing a virtual point-to-point connection through the use of dedicated connections or encryption. These techniques add security to the information flow but are expensive and still have security vulnerabilities. Realizing these costs and the security concerns with VPNs, a team at STTarx developed a method of truly protecting data-at-rest and data-in-motion and also masking transmissions. Their networks are stealthy and impenetrable and messaging is immune to illicit decryption. This technique offers an economic and secure method of passing data through the Internet.

Curt Massey, the CEO of STTarx Shield, explains this unique process. "We never accepted the common wisdom that networks must always be vulnerable or that messaging must rely on increasingly complex and cumbersome encryption algorithms that would eventually be broken. We used a fundamentally different approach to solving both issues. Every pen tester for a period of years has walked away scratching their heads due to complete failure to either penetrate our networks or even capture our traffic. Those to whom we have given sample STTarx traffic have been completely unsuccessful in decrypting it. We enable other solutions to focus on protecting the internal network."

Securing the Process


Today we connect multiple levels of people, applications, software, hardware and networks to our enterprise, control systems and cloud computing. There are so many layers that we are beginning to lose control of what the business process and software logic action is supposed to be doing, even though it is secured and authenticated. This is why recent exploit attacks have been directed without detection toward system process software, not just networks and databases. We need a method of real-time viewing, auditing and even blocking multiple simultaneous process actions. Rajeev Bhargava, CEO of Decision-Zone found this same problem when trying to debug software programs which led him to the unique use of graphical anomaly detection as a new method of intrusion detection security. This is how he explains it.

"The conventional view of security is primarily aimed at securing an organization’s assets, including facilities, goods, IT infrastructure and information silos. However, the characteristics of the threat environment organizations are exposed to are changing. Whereas in the past solitary intruders sought entry into an organization's network and facilities and created minor damage; nowadays these attacks originate from highly organized groups and are aimed at obtaining services or money by disrupting or diverting the victim’s normal business operations. Sometimes this is an authorized and authenticated insider.

"Processes, by nature, consist of a number of tasks performed by different individuals, usually within different departments," said Bhargava, "making them vulnerable to mistakes, misunderstandings, miscommunications and abuse. A business process consists of a set of logically interrelated tasks, intended to generate an output beneficial to the organization. A process aims to create higher-value output from lower-value input, at a cost that is lower than the increase in value of the generated product. These processes have extreme value to a company and often are the reason they have a competitive edge. These process inputs are the same place where security breaches can be identified, audited and potentially blocked. Decision-Zone has built the ultimate process security application for validating/tracking these input actions against the business process logic assuring both process productivity and process security."

Conclusion


Disclosures of cybersecurity breaches are constant. The damage done, money lost and intellectual property stolen is staggering. State-sponsored attacks have been validated, banks robbed, intellectual property stolen, even attacks on your personal privacy. Studies have clearly stated the certainty that you have been breached or we will be breached. The companies that were researched and quoted above have clearly stated their cases, have tested their capabilities and together can offer resolutions to specifically address these security issues.

Knowing the reality and reasons behind cyberattacks, it’s time to stop talking and start offering resolution to these serious problems. In the last few weeks, with no uncertainty, we have recognized the immediate need for cybersecurity solutions from our personal privacy to national defense. There is no "it won’t happen to me" anymore. There is no more sticking our heads in the sand. We must immediately deploy prevention and detection technologies to our critical processes or frankly, we could lose it all.  

Saturday

Column: Cyber Attacks -- the Reality, the Reason and the Resolution. Part 2

Computer Hacking Increase

June 7, 2013 By
 
Today, as in the beginning days of the Internet, people hack for power and money -- and for one other reason: simply because they can.

Early on, there were black hats and white hats, they were just much more reserved and secretive than today's headline-capturing hackers. The difference today is that there are massive amounts of information, intellectual property and money moving back and forth on information systems. Successful hacking attempts disclosed in just the last few weeks have demonstrated how millions of dollars in cash and trillions in state secrets can be stolen comparable to the amounts taken in past wars. With the seriousness of cyber war now upon us, let’s look in more depth at the reasons.

Reason No. 1: Power

With personal portable storage capabilities in terabytes and global Internet access available to all, organizations such as the National Security Agency (NSA) got interested in gaining power and control over technologies that could access these information systems. This led to years of control of encryption algorithms, software back doors, wireless spectrum and increased control over the Internet.
The NSA's information gathering is now refined in a secretive unit known as Tailored Access Operations. TAO identifies, monitors, infiltrates and gathers intelligence on computer systems being used by entities hostile to the United States. The unit uses automated hacking software to harvest approximately 2 petabytes of data per hour, which is largely processed automatically. With this much technological power must come responsible restraint. The U.S. Department of Defense calls the use of offensive exploit hacking "computer network exploitation," but emphasized that it doesn’t target technology, trade or financial secrets.

There is, however, a thin line between the use of exploitation hacking technologies that can quickly change cybersecurity defense into cyber war offense. The first big example of cyber offense was the use of very sophisticated exploit malware called Stuxnet, which was used to attack the control system of an Iranian nuclear plant. Recently a state sponsored attack was disclosed in a Defense Science Board study as reported by The Washington Post. More than two dozen top U.S. weapons systems -- including the Patriot missile defense program, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship -- were compromised by a Chinese cyber espionage attack. This use of computer network exploitation is a clear example of just how powerful these cyber technologies are -- and how defenseless we are in stopping them.

In the past, as today, standards, compliance mandates and even secret government programs try to keep the potential use or abuse of both defensive and offensive information system security technologies in check. Big corporate and government involvement in these security technologies coordinated timely distribution of adequate security technologies while still controlling sophisticated methods of cracking security if needed. Today there is software that can find security back doors in minutes, and new exploit tools can be downloaded daily, making control of information security solutions much more difficult. We have reached a point in cybersecurity where we must focus on solutions that cannot be manipulated.  We can't continue to think we can deploy cyber technologies that have hidden access or can develop exploit systems fast enough to stay ahead of a world of knowledgeable hackers. The true power in cybersecurity is just what it says it is: security. Nations that focus on financing defensive technologies will prove to have the real power in this cyber game.

Reason No. 2: Money

Cybercrime is now believed to be the No. 1 form of crime, exceeding even illegal drug trade. Some figures within the last year give an idea of how much money we are talking about -- commercial and government projections count trillions of dollars lost in global intellectual property, with recent bank robberies of $45 million in cash.

Attacks on the Pentagon by China clearly show how financially devastating the cost of these attacks can be. The cost of the F-35 Joint Strike Fighter, for example -- the most expensive weapons system ever built -- is estimated at $1.4 trillion. This is the largest single dollar-value theft of intellectual property and could take generations of taxes to recover.  And this is just what is out in the open. Corporations have paid ransoms to keep their intellectual property, and some have even purchased stolen intellectual property. The stealing of IP has become so great that it is beginning to affect the backing of venture capital in start-up companies. Why pay for seed money for R&D if it can just be stolen? The protection of intellectual property and the dollar loss behind it has reached a threshold that demands immediate attention.
 
There are also legal beneficiaries of these cyberattacks, such as the people who sell security software, hardware and services. These companies clearly see new business on the horizon, such as smartphones, and are enjoying significant increases in profit. There are acquisitions and mergers of cybersecurity companies being made to strategically capture these profits.  From penetration testing to consulting, things are pretty good for people in the cybersecurity business.  Even hackers can make an honest buck. Experienced cybersecurity jobs now start at $100,000 per year for entry-level positions. Good hackers can just about write their own paycheck, and are offered jobs in U.S. government organizations such as Homeland Security, Department of Defense, NSA and even DARPA. Exploit hackers are now paid as speakers in national conventions as they demonstrate their new hacking capabilities to an applauding audience.
Yes there is money to be made in cybersecurity -- but there are also costs.

Reason No. 3: Because I Can

In the early days of the Internet, I worked for suppliers of fiber-optic networks and Internet services, and I shared information with the FBI on child pornography, money laundering, credit card theft and personal identification theft. This business has exploded to a multibillion dollar business, as seen by a recent Secret Service bust of a $6 billion money laundering scheme. In the past, the bad guys quickly found out who the best hackers were and offered them big bucks -- and sometimes threats -- to assure support of their organized crime endeavors. Back then, I was caught between the black hats and white hats, and found one reason that they both hacked: simply because they could.

Sometimes hackers honestly can't stop themselves from so easily hacking information systems -- it’s like leaving your house doors wide open, leaving for a year and wondering if someone will take something.  In hacking, "the easy stuff first" still prevails, while the use of cybersecurity exploit technologies are just making things a lot easier.  If we are to keep up, we must improve and move more quickly to stop targeted attacks. If you make it too easy, the likelihood of hackers attacking you is much greater, just because they can. 

So if we have cybersecurity protection, then why are hackers hacking? Because they can. Secret back doors are even now affecting industrial control systems all over the world. Encryption algorithms classified for specific use and restricted transport have been stolen from encryption key repositories, and then used to access sensitive information such as government contractors. Virus protection companies have known limitations in stopping malware while they charge people to remove ones they missed. Sadly the legacy cybersecurity technologies being used today don't work very well -- and the hackers know it. Even new analytic technologies are showing their weaknesses requiring human intervention in analyzing the big data that is now overpowering current IT staff and systems. Why can hackers hack?  Because we are using security technologies that have the appearance of security, but are not truly secure.

Conclusion: Offense vs. Defense

The trends and focus of obtaining new cyber offensive exploitation technologies vs.cybersecurity defensive technologies are troubling.

As a cybersecurity advisor and expert, I know of intrusion detection technologies that have been reviewed and tested at the highest levels and could, in fact, stop cyberattacks. When truly securing things, you sometimes have to give up capabilities like backdoor snooping or digital audit trails so accurate that no court would challenge the evidence -- things some aren't willing to part with. Our problem in the world today is that we have to resurrect things like honesty and moral character or minimally "trust but verify."  If we expect our homes, or neighborhoods, cities, country and workplaces to be secure, then we must show ourselves deserving while still monitoring for adversarial attacks. 

We are adding cost to everything because we can't seem to curtail everyone stealing from everyone. Yes, we can use the same technology to aggressively retaliate against those who attack us, but this is a slippery slope that can lead to complete moral and economic disaster -- even war.

So what's the difference between today’s hacking and deterring technologies that can stop it? Not much. Do you think we can survive without putting in working cyber security defense?  Do you want to know the outcome is if we don't?

Read the first part in this three-part series here. The last article will cover the resolution of cyber attacks and the available technologies than can correct it.