We’re Giving It All Away

Nice little video from Mandiant on “The anatomy of a cyber attack.”

Despite the typical firewalls, antivirus, and intrusion detection system, cyber attacks can and do penetrate your systems.

This happens through social engineering (including phishing attempts), automated spam, and zero-day exploits.

Once inside your network, the cyber attacker takes command and control of your computers, surveys your assets, steals user names and passwords, hijacks programs, and accesses valuable intellectual property.

Mandiant performs security incident response management (detecting breaches, containing it, and helping recovery efforts), and they are known for their report “APT1” (2013) exposing an alleged significant government-sponsored cyber espionage group that they state “has systematically stolen hundreds of terabytes of data from at least 141 organizations.”

Another fascinating report on a similar topic of advanced persistent threats was done by McAfee on Operation Shady Rat (2011) that reveals over 70 organizations (governments, commercial entities, and more) that were targeted over 5 years and had terabytes of information siphoned off.

The overall risk from cyber espionage is high and the McAfee report states:

– “Every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”

– “What we have witnessed…has been nothing short of a historically unprecedented transfer of [intellectual] wealth – closely guarded national secrets…disappeared in the ever-growing electronic archived of dogged adversaries.”

In short we can’t keep a secret–we’re putting endless gobs and gobs of our information online and are not adequately protecting it in cyberspace, with the result that our adversaries are able to access, exfiltrate, disclose, modify, or destroy it.

In short, we’re giving it all away – why?

Care To Be Curious?

Care To Be Curious?

Here’s three topics for the curious of mind today:

Are we technologically safer? As we attempt to beef up IT security, we continue to be technologically insecure. Just this last week, BBC reported how a fridge was part of 100,000 devices used to send out 750,000 pieces of spam. Yes, a fridge, and there was also a television involved–sounds like the beginning of a bad joke, right? But this is our reality these days…Proofpoint, a cloud computing and security company said “Many of these devices are poorly protected at best, and consumers have virtually no way to detect or fix infections when they do occur.”

Is our economy healing or hurting? As unemployment fell from 7% to 6.7% last week–an impressive reduction–the overall labor force participation rate didn’t rise, but rather sank to 62.8%–its lowest level in 35 years! And while, the Wall Street Journal explains that U.S. employment is simply not keeping up with population growth, the S&P 500 hit a new record high just last Wednesday. Meanwhile, the Fed continues to pour money into the economy, although at a slowing rate (expected to go down next week to only $65B a month), speculation is building whether we have another real bubble brewing, and this one of our own making, perhaps.

Is this the lead up to peace or war with Iran? As we continue to seek a long-term deal with Iran on their dangerous nuclear weapons foray, we read from Bret Stephens that Iranian President Rouhani said during his presidential campaign, “Saying ‘Death to America” is easy…We need to express ‘Death to America’ with action.” If we are getting a good deal that can truly lead to WMD disarmament of Iran, why did Rouhani tweet, “In #Geneva agreement world powers surrendered to Iranian nation’s will.” Curious, whether this is for political consumption in Iran or whether he sees the deal as just a stalling tactic leading to a breakout capability in nuclear weapons as well as a way to get some goodies in terms of sanctions relief for his country in the meantime.

What does little kitty cat say about these? πŸ˜‰

(Source Photo: Andy Blumenthal)

Catching More Flies With Honey

Catching More Flies With Honey

There’s an old saying that you can catch more flies with honey than with vinegar.

And this is true in cyberspace as well…

Like a honey pot that attracts cyber criminals, organizations are now hiring “ethical hackers” to teach employees a lesson, before the bad guys teach them the hard way.

The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.

The point of this is not to make people feel stupid when they fall for the hack–although they probably do–but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.

One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.

Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.

While I think it is good to play devil’s advocate and teach employees by letting them make mistakes in a safe way–I do not think that the people should be named or reported as to who feel for it–it should be a private learning experience, not a shameful one!

The best part of the article was the ending from a cyber security expert at BT Group who said that rather than “waste” money on awareness training, we should be building systems that don’t let users choose weak passwords and doesn’t care what links they click–they are protected!

I think this is a really interesting notion–not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace–where every misstep or mistake doesn’t cost you dearly in terms of compromised systems and privacy. πŸ˜‰

(Source Photo: Dannielle Blumenthal)

Governing the Internet Commons

Overgrazing

Recently, I’ve been watching a terrific series called America: The Story of Us(12 episodes)–from the History Channel.

It is a beautiful portrayal of the the founding and history of America.

One theme though that repeats again and again is that as a nation, we use the common resources and deplete them until near exhaustion.

The show portrays an America of lush forests with billions of trees that are chopped down for timber, herds of 30 million buffalo slaughtered for their hides, rollings plains of cotton for a thriving clothing industry that is over-planted, a huge whaling industry used for oil that is over-fished.

Unfortunately, as we know, the story is not just historical, but goes on to modern-day times, with fisheries depleted, whole species of animals hunted to extinction, energy resources furiously pumped and mined to a foreseen depletion, city streets turned into slushy slums, and national forests carelessly burned down, and more.

The point is what is called the “Tragedy of the Commons”–where items held in trust for everyone is misused, overused, and ultimately destroyed. With private property, people are caretakers with the incentive to maintain or raise the value to profit later. However, with common property, people grab whatever they can now, in order to profit from it before someone else gets it first.

This phenomenon was first laid out in the Torah (Bible) with a law for a “Shabbath Year” called Shmita mandating that people let fields (i.e agriculture) lie fallow for a full year every 7 years and similarly, the law of Jubilee (i.e. Yovel), that slaves be freed and loans forgiven every 50 years. I think that the idea is to regulate our personal consumption habits and return what the historical “commons” back to its normal state of freedom from exploitation.

This notion was echoed by ecologist Garrett Harden in the journal Science in 1968, where he described European herders overgrazing common land with their cows to maximize their short-term individual profits at the expense of longer-term term societal benefits. Harden suggested that regulation or privatization can help to solve the “Tragedy of the Commons.”

In the 21st century, we see the modern equivalent of the commons with the Internet, which is an open, shared networking resource for our computing and telecommunications.Without protection, we have the Wild West equivalent with things like spam, malware, and attacks proliferating–clogging up the network and causing disruptions and destruction, and where some people use more than their fair share

Here are some examples of the Tragedy of the Internet:

Symantecreports that even with spam decreasing with the shutdown of spam-hosting sites, in 2011, it is still 70% of all emails.

McAfeereports that malware peaked as of the first half of 2010, with 10 million new pieces.

Kasperskyreports that web-based attacks were up to 580 million in 2010–8 times the amount of the previous year.

Verizon Wirelessreports 3% of their users use 40% of their bandwidth.

If we value the Internet and want to continue using and enjoying it, then like with our other vital resources, we need to take care of it through effective governance and prudent resource management.

This means that we do the following:

1) Regulation–manage the appropriate use of the Internet through incentives and disincentives for people to behave civilly online. For example, if someone is abusing the system sending out millions or billions of spam messages, charge them for it!

2) Privatization–create ownership over the Internet. For example, do an Internet IPO and sell shares in it–so everyone can proverbially, own a piece of it and share financially in it’s success (or failures).

3) Security Administration–enhance security of the Internet through public and private partnership with new tools, methods, and advanced skills sets. This is the equivalent of sending out the constable or sheriff to patrol the commons and ensure people are doing the right thing, and if not then depending on who the violating actor(s) are take appropriate law enforcement or military action.

Only by managing the Internet Commons, can we protect this vital resource for all to use, enjoy, and even profit by.

(Source Photo: here)