The reports make clear the mounting threats to federal agencies and to major private-sector firms and vital national infrastructures. “Foreign powers, criminal groups, hackers, and terrorist organizations have launched cyber attacks on the White House, Pentagon, State Department, and New York Stock Exchange,” notes the Booz Allen/PPS report. In the past few years, millions of attempts have been made to hack into defense digital networks, and cyber criminals have penetrated the nation’s electrical grid.

For “the past six years,” the CSIS report states, “the US Department of Defense, nuclear laboratory sites and other sensitive US civilian government sites have been deeply penetrated, multiple times, by other nation-states.” In 2008, CSIS adds, “one of the nation’s largest processors of pharmacy prescriptions reported extortionists had threatened to disclose personal and medical information on millions of Americans.” Indeed, last year the General Accountability Office (GAO) reported deficiencies in 23 of 24 federal agencies to detect or thwart cyber attacks.

President Obama has declared cyber security to be “one of the most serious economic and national security challenges we face.” Defense Secretary Robert Gates has stated that the Department of Defense (DoD) is “desperately short of people who have capabilities (defensive and offensive cyber security war skills) in all the services.”

The two reports essentially agree on the deficiencies facing the federal agencies. CSIS notes the “shortage of the highly technically skilled people required to operate and support systems already deployed” and “an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools” for preventing and mitigating damage from malicious acts.

Booz Allen identified four serious conditions inhibiting the strength of the cyber security workforce:

1. An inadequate pipeline of potential new talent. Just 40 percent of federal chief information officers (CIOs), chief information security officers (CISOs), and IT managers, according to those surveyed, find sufficient the quality of applicants for cyber security jobs. This leads to a disproportionate reliance on contractor personnel, such as the 83 percent of CIO staff  at the Department of Homeland Security that are private contractors.
2. Uncoordinated leadership and fragmented governance in the federal effort, with no one organization heading up decision making or planning for the cyber security workforce. Thus agencies sometimes work at cross-purposes. None of the people interviewed for the report could provide an official count of the actual number of government cyber security personnel.
3. Recruitment and retention of cyber security talent is hampered by: the federal government’s cumbersome hiring processes, outdated job classifications, inadequate specialized training, and absence of a federal career path. One computer science job category was last updated in 1988–before the adoption of the Internet.
4. Hiring managers, compared to HR managers, are dissatisfied with efforts to hire cyber security talent.

CSIS reaches similar conclusions, and provides others as well. “There is neither a broad cadre of cyber experts,” its report notes, “nor an established cyber career field to build upon.” CSIS specifically criticizes the certification process, asserting that credentials focus on showing expertise in complying with statutes, not risk reduction, thus creating “a dangerously false sense of security.”

The two reports take somewhat similar paths in their recommendations for improving the workforce. Taking the big view, Booz Allen/PPS calls for the White House cyber security coordinator, agency leaders, and OPM to formulate a government-wide blueprint for addressing workforce demands. The blueprint would include tools to gauge the health of the workforce.

Regarding certifications, Booz Allen/PPS advocates updating job classifications, while CSIS calls for the adoption of rigorous professional certifications. CSIS would accomplish the latter through creation of a governance body, to be evaluated after a two-year pilot test, which would formulate and administer certifications in new specialty areas. Members in the governance body would be drawn from key federal agencies, major private-sector organizations, and universities with important cyber education programs.

Both reports urge establishment of a career path in cyber security akin to that in civil engineering or medicine. CSIS emphasizes strengthening the technical competence of personnel through the hiring, acquisition, and training processes, while Booz Allen/PPS stresses the provision by congress of adequate funding for such purposes as worker training and the bolstering of management expertise.

Funds would include graduate and undergraduate scholarships in cyber security such as the Scholarship for Service program. In fact, CSIS posits a number of initiatives to enhance cyber security education, including an OPM action plan on career issues, and the creation via the federal Chief Information Officers Council of a Cyber Corps alumni group.

More broadly, the reports view the dearth in cyber security talent as reflecting the nation’s woes in science and technical education and in the technological workforce generally. To address this, CSIS stresses more rigorous school curricula, while Booz Allen/PPS calls expanding scholarship funding in cyber security and computer science. The White House should lead,” affirms Booz Allen/PPS, “a nationwide effort to encourage Americans to develop technology, math, and science skills.”

The two reports, shown below, were compiled from public reports and congressional testimony, and interviews with and surveys of federal subject matter experts and information officers in many federal agencies.

http://csis.org/publication/prepublication-a-human-capital-crisis-in-cybersecurity http://www.ourpublicservice.org/OPS/publications/viewcontentdetails.php?id=135

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course

Since 2007, illicit organizations have employed Zeus to launch damaging, highly publicized attacks targeting the login credentials and other personal data associated with millions of computers, thousands of organizations, and uncounted numbers of users and their accounts. Relatively small groups of sophisticated criminal bands based in various nations–particularly in Eastern European countries such as Russia and Ukraine–have stolen tens of millions of dollars.  Computers in 196 countries have been subject to attack. The countries most affected include the U.S., U.K., Saudi Arabia, Egypt, and Turkey.

In a typical scenario, malicious developers generate malware. The malicious code can be purchased on the cyber underground. Black-hat hackers who are part of criminal organizations break into and compromise computers. On the machines, they insert a Trojan which, when activated, pilfers the credentials of targeted persons, and penetrates the targets’ bank accounts. Meantime the thieves’ command and control server collects this sensitive data. The targets can be banks, ATM machines, credit card companies, social networking sites, telecommunication and other firms, and private individuals.

The hackers then transfer funds from these accounts to “mules.” Networks of mules consist of developers, non-technical individuals, and other illicit organizations. Often, they are foreigners who acquire fake passports and other identification in order to enter the country whose individuals and corporations are the targets of the attack.  After opening bank accounts, they “launder” the funds in the accounts to prevent tracking of the stolen funds. In addition, they transfer the funds to the organizers of the illicit scheme, in return for a percentage of the moneys procured.

For full article visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course

Data Loss

Perhaps the most significant risk posed by smartphones is that of data loss. There are a number of ways data can be lost or stolen from smartphones. Most obvious is the loss or theft of the device itself. These small handheld devices can be easily forgotten in public places or picked up by casual passersby. Many users either don’t password protect their phone because of the inconvenience it poses or, if they do, use a simple four-character password that can easily be cracked. So all of the data – be it sensitive company data or personal data – is accessible by an unauthorized user.

There are also occasions upon which users have legitimate possession of another’s smartphone, but have no business accessing the data on it. For example, it is not unusual for a user to give an old phone to a friend who has lost their own or to donate an outdated phone to a charity. Data can also be exposed if a smartphone is resold or sent in to the manufacturer for repair.

But physical possession is not required to steal data off of a smartphone. Mobile applications can access the data on your users’ smartphones and, in some cases, even store that information on third-party servers. For example, applications marketed as tools to catch cheating partners and protect children can be downloaded to an unsuspecting users’ smartphone. The application captures emails, texts, browsing history and telephone calls, and stores that information on a server where it can be retrieved by an unauthorized individual. If any of those communications include corporate data then it too is saved and accessed by a third-party.

All of these scenarios put companies at risk of being noncompliant with laws and regulations around data privacy. If a user loses a smartphone storing unprotected corporate data or your data is stored on an unauthorized third-party server, your company is liable and can face fines.

Common vulnerabilities

Contrary to popular belief, smartphones are no better protected against denial-of-service attacks or malware infections than an unprotected PC. In fact, the applications that run on smartphones are subject to all of the same vulnerabilities. Consider Web applications, which have been used to spread malware, spyware, phishing attempts, etc., via PCs. Users are downloading similar applications to their smartphones, the difference being that smartphones typically do not have antivirus protection, so these infected files can propagate onto an IP network.

The smartphone’s small form factor further facilitates propagation of malware. It’s more difficult to identify risk web sites and suspicious emails and links on pared down sites built specifically for a small screen. Plus, users tend to be more trusting of the data they receive on their smartphones because the devices represent a more intimate communications channel. Thus, they are more likely to click on potentially dangerous links.

For full article with Ten Smartphone Security Best Practices please visit Smartphone Security Article at Logical Security.

Other Information:

Certified Information Systems Security Professional (CISSP)

When Garcia arrived at the agreed-on place, however, he was met by FBI agents and Corpus Christi police. One official had masqueraded online as the child. In Garcia’s car, investigators found 14 child sex videos, and hundreds of photographs of child pornography. The arrested man was later sentenced to 14 years without parole.

The Internet is a great boon for learning, including children. Yet children, due to their age and trusting nature, are at particular risk to the dangers of the Internet. The Web Wide Web poses a great many and growing risks to children.

Online predators trawl the Web seeking to involve youngsters inappropriate and illegal sexual relationships. The Internet allows sexual deviants to more easily gain access to information about youths they may be targeting. Such information can include a youth’s email address, web site, birth date and age, photos, family data, other friends, hobbies, and individual likes and dislikes. Based on such information, predators can begin to befriend impressionable youths, perhaps gaining their trust over a long period of time, perhaps through enticements such as the provision of free software games. At the same time, predators can maintain relative anonymity about themselves, or readily post false or misleading information. Once friendship is gained, predators may seek to physically meet their targets, sometimes by sending them money, tickets, or other means to travel to a rendezvous.

Common “hunting grounds” for predators include email, blogs, and social networking sites such as Facebook and MySpace. Another is online chat rooms, which by their nature promote anonymity on the one hand and encourage children eager to converse and make friends to let down their defenses. By their very nature, children are vulnerable to predators. Emotionally immature, they crave attention.  They have a natural curiosity, especially about topics that their parents may have declared off limits. They are accustomed to obeying the requests of adults, and are unlikely to doubt such requests are illegitimate.

The Internet is awash with pornography sites, including children’s porn sites. Predators may seek to photograph or film children and young adults for use by such sites. To gain material for such sites, or for their own illicit purposes, predators may “cyberstalk” children, constantly harassing them, or attempting to gain their trust in online “friendships” leading to destructive real-life encounters.

A great many free online resources are available for parents, children, and other concerned individualson how to safely and effectively use Internet tools and devices.

14-year-old Phil loved his parents’ new laptop, and the Internet, and spent hours on the Web playing games and conversing with friends on Facebook. One week, however, Phil began receiving disturbing messages. A “friend” from middle school posted messages on Phil’s Facebook “wall” using offensive language and made-up slurs. An adult stranger commented weirdly about Phil’s Facebook photos, while requesting Phil’s personal email. Phil was bothered by the messages, and told his mother about it.

Phil’s mom was herself, for her job as a marketing manager, a practiced user of social networking sites. She got on Facebook with her son, and showed him how to tighten up the security and privacy of his account. Together they changed his privacy settings to allow access to his photos and profile only to certain actual friends and relatives. They blocked messages from the adult stranger. And Phil’s mother stressed to him that he should in the future only accept messages and friend requests from persons and organizations he knew and trusted.

One site full of information about the risks the Internet can pose to children, and how to mitigate those risks, is Web Wise Kids, located at: http://www.webwisekids.org/

Web Wise Kids, sponsored in part by the Department of Justice, is a 501(c)3 non-profit organization that offers informative and easy-to-understand programs for both children and adults on matters such as online predators and stalking, safe blogging and cell phone use, and computer fraud and piracy.

Programs include interactive games where children and teens play detective to “turn the tables” on Internet predators, by investigating and collecting evidence about their illicit use of spyware and counterfeit software.  For parents, instructors, and law enforcement personnel, the Wired with Wisdom program is a user-accessible, online game that explores topics such as chat rooms, personal web sites, and email and social networking.

The federal government provides a number of such resources, in particular free publications from theFederal Trade Commission (FTC). The FTC publications include:

Net Cetera: Chatting with Kids about Being Online

Helps parents protect their kids and to talk to them about living their lives online. Topics covered include: parental controls, protecting the family computer, sexting, social networking sites, and increasing the safety of mobile phones. 56 pages.

Social Networking Sites: A Parent’s Guide

Urges parents and kids to talk about the risks involved in using social networking sites. Offers tips for using such sites safely. Helps parents with issues like: keeping information private, how their kids get online, avoiding sex sites, reviewing your children’s friends list, computer privacy settings.

Social Networking Sites: Safety Tips for Tweens and Teens
Deals with such issues as: limiting the posting of personal information such as photographs, street address, and credit card data, being wary of meeting online “friends,” how posted information stays online “forever”.4 pages.

For full article with 7 Practices for Safer Computing please visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

Many times hackers are just scanning systems looking for a vulnerable running service or sending out malicious links in emails to unsuspecting victims. They are just looking for any way to get into any network. This would be the shotgun approach to network attacks. Another, more dangerous attacker has you in his crosshairs and he is determined to identify your weakest point and do with you what he will.

As an analogy, the thief that goes around rattling door knobs to find one that is not locked is not half as dangerous as the one who will watch you day in and day out to learn your activity patterns, where you work, what type of car you drive, find out who your family is, and patiently wait for your most vulnerable moment to ensure a successful and devastating attack.

In the computing world, we call this second type of attacker an advanced persistent threat (APT). This is a military term that has been around for ages, but since the digital world is becoming more of a battleground – this term is more relevant each and every day.

How APTs differ from the regular old vanilla attacker is that it is commonly a group of attackers, not just one hacker, who combines its knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. The ‘advanced’ aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The persistent component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus type of threat that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded – which makes it the biggest threat of all.

A virus is not an APT, a worm is not an APT, a bot is not an APT. An APT is commonly custom developed malicious code that is built specifically for its target, has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different ‘anchors’ so eradicating it is difficult if it is discovered. Once the code is installed, it commonly sets up a covert back channel (as regular bots do) so that it can be remotely controlled by the attacker himself. The remote control functionality allows the attacker to transverse the network with the goal of gaining continuous access to critical assets.

APT infiltrations are usually very hard to detect with host-based solutions because the attacker puts the code through a barrage of tests against the most up-to-date detection applications on the market. A common way to detect these types of threats is through network traffic changes. When there is a new

IRC connection from a host that is a good indication that the system has a bot communicating to its command center. Since there are several technologies that are used in environments today to detect just type of traffic, the APT may have multiple control centers to communicate with so that if one connection get detected and removed – it still has an active channel to use. The APT may implement some type of VPN connection so that its data that is in transmission cannot be inspected.

The ways of getting into a network are basically endless (exploit a web service, email links and attachments to users, gain access through remote maintenance accounts, exploiting os and application vulnerabilities, compromise connections from home users, etc.) Each of these vulnerabilities has their own fixes (patches, proper configuration, awareness, proper credential practices, encryption, etc.). It is not only these fixes that need to be put in place, we need to move to a more effective situational awareness model. We need to have better capabilities of what is happening throughout our network in near to real time so that our defenses can react quickly and precisely.

Our battlefield landscape is changing from ‘smash-and-grab’ attacks to ‘slow-and-determined’ attacks. Just like military offensive practices evolve and morph as the target does the same, so must we as an industry.

Other Information:

Certified Information Systems Security Professional (CISSP)