December 30, 2012 By Dan Lohrmann
Over the past week, I’ve been surfing the Net looking for the top blogs and articles that both recap online security trends from the past year as well as offer new cybersecurity predictions for the coming year. Here’s a summary of what I’ve seen that’s memorable so far:
Imperva Trends 2013 – “These trends include hackers adopting malware techniques from "state sponsored" attacks, hackers leveraging cloud infrastructure to conduct attacks and hackers targeting less-protected SMBs; underscoring the need for greater security community collaboration.”
Websense – “A top threat projection is that mobile devices will be the new target for cross-platform threats, facilitated by Web-based cross platform exploits. Attacks will also continue to increasingly use social engineering lures to capture user credentials on mobile devices.
…Cybercriminals will use bypass methods to avoid traditional sandbox detection. As more organizations are utilizing virtual machine defenses to test for malware and threats, attackers are taking new steps to avoid detection by recognizing virtual machine environments.”
McAfee – “…The first areas of focus for the report is the emergence and growth of mobile malware. McAfee predicts an increase in ransomware,…. also predicts a new mobile worm will go on a ‘shopping spree,’ as criminals add the app-buying functions of the Android/Marketpay.A Trojan to a mobile worm…, a decline in the influence of the Anonymous hacktivist group…, an increase in both “crimeware” and “hacking as a service,” an increase in large-scale attacks….”
- “Cyber conflict becomes the norm - In 2013 and beyond, conflicts between nations, organizations, and individuals will play a key role in the cyber world….
- Ransomware is the new scareware - As fake antivirus begins to fade as a criminal enterprise, a new and harsher model will continue to emerge. Enter ransomware….
- Madware adds to the insanity - Mobile adware, or “madware,” is a nuisance that disrupts the user experience and can potentially expose location details, contact information, and device identifiers to cybercriminals….
- Monetization of social networks introduces new dangers - …Symantec anticipates an increase in malware attacks that steal payment credentials in social networks and trick users into providing payment details, and other personal and potentially valuable information, to fake social networks…
- As users shift to mobile and cloud, so will attackers - Attackers will go where users go, and this continues to be to mobile devices and the cloud….”
Trend Micro – Check out their prediction video:
The Youtube link for this video is: http://www.youtube.com/watch?v=yupELaC4Plg
Kaspersky made the following predictions last year:
- Hacktivist groups, who attack computer systems for political or social reasons, would continue to increase their activities
- A higher rate of "advanced persistent threat" attacks, or state-sponsored espionage efforts
- More incidents of cyberwarfare involving customized, state-sponsored malware
- Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony
- More aggressive actions from law-enforcement agencies against cybercriminals
- An increasing rate in the growth of threats to the Android mobile platform
- Successful attacks on Apple's Mac OS X computer platform
Overall, I’d say Kaspersky Labs did fairly well in their 2012 predictions. Here’s what they think is coming up in the new year:
“As for 2013, "we expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure," Raiu said in a company press release. ‘The most notable trends of 2013 will be new examples of cyberwarfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.’"
Here’s a Brief Summary of Technorati.com Top 5 Predictions –
- More mobile malware than ever before, targeting mostly Android devices. [Android leadership] should continue through 2013 with Google estimating that there are over 1 million new devices, be it smartphones or tablets activated daily.
- More aggressive mobile adware invading user privacy. …Your information (including email, device ID, location, browsing habits and even phone number) is what's being exchanged for that flashlight, calculator, or nifty new game instead. This trend will… raise the conversation about privacy to new levels.
- Online fraud will remain rampant in 2013. …Ransomware is set to skyrocket. Ransomware, which combines malicious code with human panic, basically holds systems hostage by restricting access and demanding a ransom be paid to remove the restrictions….
- Mobile & online shopping will continue to rise, but not without increased risk. …Relying on built-in security measures alone won't protect most consumers, which is why having a mobile security product will become even more important than ever over the next 12 months.
- More advanced persistent threats (APT) will be discovered. …The expectation is that we will hear more about APT's in 2013, either new ones or strains of already known ones.
What was probably the most surprising blog? CIO Magazine blogger Constantine von Hoffman offered his list of 2013 cybersecurity predictions that he described as “all the painfully-obvious and self-serving 2013 cybersecurity-threat-prediction lists on the Web into a single tasty nugget.” Respectfully, I think he fell into his own trap. While he offers an good list, I certainly would not make it the only list you need to review. His top ten threats facing us for 2013 are worth reading. Here are the first five of his ten threats listed:
- “The Cloud – Lots of vulnerabilities out there.
- BYOD/Mobile malware – It’s a problem dealing with all these devices.
- Opportunistic Attacks/Social Engineering – Someone is going to try to get malware on your systems using targeted attacks.
- DDoS Attacks – You might be the target.
- Big Data – Again, lots of vulnerabilities.”
And finally, Maria Deutscher, offers these comments from John Casaretto on noteworthy cybersecurity events in 2012:
“Casaretto … mentions the $60,000 prize that Google recently awarded a hacker for discovering a Chrome exploit. His take is that this approach to crowdsourcing can prove to be a very valuable strategy in increasingly complex technological environments where a problem may be discovered eventually, but not before hackers use it to their advantage.
The second big topic Casaretto chooses to focus on is the Megaupload shutdown, in context of Kim Dotcom’s upcoming venture. The internet entrepreneur plans to launch a new file sharing site in 2013 that, based on early descriptions, will be rather accommodative of illegal content uploads. Authorities will have to bypass many legal and technological barriers to take down the provocative new service, but not before tackling all the existing issues.
My Predictions –
Last year, I took at stab at a few predictions over at CSO Magazine – with specific trends regarding Privacy, Piracy and Parental Controls. I think I was fairly accurate, if not very bold. The major social media sites, websites and mobile apps assume that you want to share your personal information widely as the default.
In state and local governments, we saw the several of the largest breaches in the nation in our corner for the first time. Sadly, I suspect that we will see more of that to come.
Moving forward, I don’t know how I can disagree with any of the major vendor predictions – except to say that the big new prediction that I see all over the place seems to be the coming rise of ransomware (see above). The other predictions about the rise of mobile malware and cloud computing threats are fairly obvious trends that have been building over the years.
What’s missing regarding predictions? No one seems ready to say that this will be the “The Year of the Big One” in which we see a “Cyber 9/11” or a “Cyber Pearl Harbor” that disrupts infrastructure in some major way. Yes, many groups are calling for more major company breaches, but that is really a given. I’m not ready to make that prediction either. However, I do think it will happen within 3-5 years. That event will bring about major changes in the way we secure our data, our corporate and personally-owned technology as well as our critical infrastructure in America.
The bottom line for 2013 is that the bad guys will follow the crowds, and the crowds are going to cloud computing, smartphones and tablet PCs. Get ready...
Happy New Year everyone!
December 23, 2012 By Dan Lohrmann
As we head into the heart of the holiday season, our thoughts and prayers still turn towards the families and devastated communities following the horrible events in Newtown, Connecticut, on December 14, 2012.
As expressed so well in the comforting speech by President Obama, our hearts go out to everyone impacted.
“… Here in Newtown, I come to offer the love and prayers of a nation. I am very mindful that mere words cannot match the depths of your sorrow, nor can they heal your wounded hearts.
I can only hope it helps for you to know that you're not alone in your grief, that our world, too, has been torn apart, that all across this land of ours, we have wept with you. We've pulled our children tight.
And you must know that whatever measure of comfort we can provide, we will provide. Whatever portion of sadness that we can share with you to ease this heavy load, we will gladly bear it. Newtown, you are not alone….”
Since that speech, there has been a steady stream of articles discussing various aspects of gun violence and the need for better school security following the tragic events in Connecticut. The stories of the families and children have dominated the news, as they should. But as we head into 2013, many are starting to ask about next steps.
Everyone wants to know: Can we make our schools safe? How far should we go towards metal detectors, armed guards and more?
What seems different is that this new discussion is occurring regarding schools that were considered safe havens by many. Few thought Newtown, a quiet community, would become a target. For this reason and many others, I suspect real change is coming for school security across America.
But I’d like to pose a related question: what about local and state government buildings? Is new or added security needed for these workplaces as well? How about private companies? How will they react?
Change After 9/11
I remember the changes that occurred in Michigan after 9/11. We went from virtually no physical security in state office buildings to guards, cameras and much more over the past decade. Security changes were seen all over the nation from airports to subways to federal government buildings.
Earlier this year, The New York Times asked: How resilient is post-9/11 America? Here’s an excerpt:
“Federal law enforcement and homeland security experts are advising corporate America to build better security into their business practices — to safeguard their goods and services, to recover from attack and, from the companies’ perspective, to boost their brand. ‘When you think of El Al, it’s not for on-time performance, it’s that you’re safe,’ said a senior law enforcement official, referring to the Israeli airline renowned for its security procedures.”
There is little doubt that many things have already changed regarding state and local government building security. Emergency Management Divisions around the nation are familiar with raising threat levels and the readiness state for state emergencies of all types.
Is Workplace Violence on the Agenda?
In addition, a new level of attention has been directed towards workplace violence. Here’s an excerpt from the US Department of Labor website:
“Nearly 2 million American workers report having been victims of workplace violence each year. Unfortunately, many more cases go unreported. The truth is, workplace violence can strike anywhere, anytime, and no one is immune. Research has identified factors that may increase the risk of violence for some workers at certain worksites. Such factors include exchanging money with the public and working with volatile, unstable people. Working alone or in isolated areas may also contribute to the potential for violence. Providing services and care, and working where alcohol is served may also impact the likelihood of violence. Additionally, time of day and location of work, such as working late at night or in areas with high crime rates, are also risk factors that should be considered when addressing issues of workplace violence. Among those with higher risk are workers who exchange money with the public, delivery drivers, healthcare professionals, public service workers, customer service agents, law enforcement personnel, and those who work alone or in small groups.”
As all of the attention (rightfully) addresses school security following Newtown, we need to remember that schools are only one part of this vital discussion in America. How much is too much? Will we lose our national character by over-reacting? What about mental illness and other related topics that can lead to tragic events such as this?
At the same time, we need to be addressing a much wider list of potential government security threats – from cyberattacks to critical infrastructure protection. No doubt, the schools will certainly come first, as we struggle with the tough questions regarding what we can afford.
What are your thoughts on physical security topics at school and work as we head into 2013?
December 16, 2012 By Dan Lohrmann
Our nation has developed a fairly long list of doctrines that have historically provided statements of what we believe and the principles by which we’re going to base our future actions. Two examples that come to mind are the Monroe Doctrine and the Reagan Doctrine, but there have been many others. In addition, military doctrine has long provided a guide to national defense actions.
Do we need such a national doctrine on cybersecurity? If so, what needs to be included? How will the rest of the world view this doctrine? Can a cyberdoctrine help guide our actions?
Earlier this week, I was contacted by Sarah Rich from Government Technology Magazine and asked to comment on recent efforts to develop a national doctrine on cybersecurity. Sarah wrote this article entitled: Should the U.S. Develop a National Cyberdoctrine? Here’s an excerpt:
“Earlier this month, the Potomac Institute Press released a new book #CyberDoc: No Borders – No Boundaries, which addresses the rising concern of cyber-related disasters and the growing need for such a doctrine.
‘The book is a call to action,’ said Tim Sample, vice president and sector manager of special programs at Battelle and co-editor of #CyberDoc.”
I won’t reiterate my comments to Sarah here, except to emphasize that I support the overall call to action in the book for a national discussion on key cyber issues. Nevertheless, I also think that getting a meaningful national consensus on the answers to key questions will be very difficult. (See Sarah’s article in the gray box for some of the key questions, beginning with ten questions that are foundational.)
But I am highlighting this topic again for another reason. I urge readers of my cybersecurity blog to take 15-20 minutes and ponder the transcript of the Potomac Institute for Policy Studies event on cybersecurity held in early December.
This transcript for the event covers many excellent topics of discussion and provides a wealth of information regarding why a doctrine for dealing with cybersecurity is important. It also discusses many relevant topics that should guide our thinking on dealing with the new cyber environment moving forward.
Here is a brief sample of intriguing statements from the panel discussion:
- “…Nobody thinks that the government can provide cybersecurity. We don't want to turn it over to the government; it doesn't do that well. We must recognize that cybersecurity costs money and that somebody has to do it.
- I think one of the things that came out of the conference is that there clearly needs to be someone in charge.
- Somewhere along the line in the last four or five, six, seven years, this thing has changed from essentially "isn't this cute," to "gosh, this is useful," to a public utility. And the question becomes, how does a government deal with that?
- So what do you need to know? Well, you need to know what are you trying to deter. You need to know who are you trying to deter. And you need to know how.
- If somebody attacks you and you notice that and people die and buildings come crashing down, it's a pretty obvious thing. But what if they don't attack you? What if all they do is put in place the ability inside all your infrastructure to take it down if they wanted to at some point in the future? It's all benign, nothing's happening, nothing's being taken down; it's just sitting there.”
I also found this article written by well know cybersecurity policy expert and author, Dan Verton, to be very helpful. Here’s an excerpt from that piece:
“President Barack Obama’s signing last month of Presidential Policy Directive 20 (PPD 20), a classified directive that establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks, may have finally laid the foundation upon which a national doctrine governing cybersecurity can be built….
“The issue here is that the status quo is no longer acceptable,” said Rear Admiral Jamie Barnett (USNR-Ret.). “We’re no longer going to simply defend the networks and continue to take the attacks and intrusions. We’re not going to be in a corner with our boxing gloves over our face. We’re going out and we’re going to swing at people who are attacking us.”
One more things on this topic: There are several additional classic questions that are particularly useful when setting forth a doctrine. These were sent to me by Andris Ozols, who is an excellent researcher and adviser on our Michigan CIO’s staff.
- What is it that we don’t know (regarding cybersecurity)? This question is not a logical impossibility, but an ongoing open inquiry.
- What happens if we under or overreact (to cyberattacks)? Risks in both – how to choose.
- What is plan B, C and so on? No plan in effect is a plan, but can it ever be a good plan? Perhaps better than some plans.
All of this is thought-provoking stuff that makes for important dialogue as we consider the future direction of cybersecurity in America and around the world. I agree with the sentiment that we can’t keep doing the same things and expect different results. We all know that we need to be taking new actions to protect critical infrastructure as a nation, as states, as local governments and as private companies.
Now if we can just agree on the right questions (and the same answers.) Perhaps an open process of building a cybersecurity doctrine can help.
What are your thoughts?
December 9, 2012 By Dan Lohrmann
Ever since the Western States Contracting Alliance (WSCA) was formed in the October 1993 by the state purchasing directors from fifteen states, governments have been saving millions of dollars through cooperative purchasing. By working together on developing contracts with a lead state, the savings can be huge. Joint purchases, on items such as laptop and desktop computers and much more, can ultimately save time and resources by working together with other like-minded government officials from around the country.
Many of these excellent contracting relationships and procurement opportunities have developed over the years at meetings held by the National Association of Purchasing Officers (NASPO). WSCA is now used by many states besides the initial fifteen members. For example, this chart shows over 50% savings on desktop PCs when you use the discounts from the “Premium Savings Packages” available to certain WSCA-participating states from numerous vendors.
And while you are looking at these charts and adding up the savings possibilities, you will see a change in the names that resemble a marriage. That’s right, the graphics for “WSCA” have now become “WSCA/NASPO” on most of their websites. In fact, this development was explained to me this week when I was on a teleconference which discussed multi-state opportunities to save money and be more efficient in our contracting work.
A Huge Infrastructure Opportunity
So why bring up this contracting topic in an infrastructure blog? Because evaulatings vendors and contracts, developing statements of work (SOWs), and managing provisions is a big part of what we do and how well we do it!
On topics ranging from smartphones, byod and mobile device management to cloud computing to consolidating data centers, contracts wording is vital. Of course, we all want to get the best deal possible, while at the same time taking advantage of the experiences of those who have gone before us. There is certainly wisdom with a multitude of advisors, and working with other states to understand their requirements is usually a best practice.
In addition, more and more states are working to provide shared technology services across traditional government boundaries. As we heard at the National Association of Chief Information Officers (NASCIO) conference in October, states are jointly offering services in such areas as cybersecurity, disaster recovery, GIS and more.
What Can You Do Now?
My understanding is that details for specific contracts still need to be worked out with WSCA/NASPO on a case by case basis. This fact sheet on their cooperative purchasing services is a great place to start to learn more about ways to engage WSCA.
Additionally, here is some wording from their FAQ website, if your state has chosen not to participate so far:
“WHAT IF MY HOME STATE HAS CHOSEN NOT TO PARTICIPATE, BUT WE WANT TO USE A WSCA CONTRACT? That question is not as easy to answer. Each state and governmental entity has different statutory, legal and procedural requirements. WSCA contracts are solicited to allow the broadest possible participation, but the real answer depends on your individual legal and procedural requirements. You should check with the Lead State contact listed on the contract page or contact Paul Stembler (contact information below) if you have questions.”
In conclusion, times are changing, and state procurement practices are changing as well. Partnering with WSCA/NASPO on large contracts (and even on some small purchases) makes a lot of sense. Hopefully, the joint buying power of all of the states can make a substantial difference and enable even better products and services to be delivered at lower prices moving forward.
Just as important, CIOs, CTOs, CISOs, IT Directors and other technology professionals need to be aware of what is going on around the country in regards to contract terms and conditions, the latest security and privacy wording in contracts, provisions for getting in (and out) of the cloud and how we can work together to influence vendor product and service roadmaps.
Over the years, we have often heard sales executives from major corporations ask me: Have you looked at what WSCA has to offer?
Now we can answer: I think you mean the cooperative purchasing arm of NASPO. And yes, we’ll give them a call.
December 2, 2012 By Dan Lohrmann
What were the top government data breaches in the USA in 2012 (so far)? It appears that this year will be remembered more for state and local breach headlines than for federal government breaches.
I’m starting off this blog with highlights from one of those “scary headline” articles that government technology leaders want their organizations to avoid. And yet, there is an ominous sense across the nation right now amongst security professionals. Most Chief Information Security Officers (CISOs) understand that there are more breaches to come in 2013. To some extent, the sentiment is: “I could be next.”
A shout-out goes to Rock Rakowski, one of our Michigan cybersecurity managers, who sent me an excellent article which addressed this question and even listed ‘lessons learned’ from each breach. The article was written by Ericka Chickowski for Dark Reading. Here’s the abbreviated first five on the list, but I urge you to read her entire piece, including the recommendations:
1) South Carolina – 3.3 million unencrypted bank account numbers and 3.8 million tax returns...
2) California Department of Social Services - Sensitive payroll information about approximately 700,000 individuals…
3) Utah Department of Health - The health information and PII of more than 780,000 Utah citizens...
4) California Department of Child Support Services - lost more than 800,000 sensitive health and financial records…
5) United States Bureau of Justice Statistics - Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data…
More sobering news came from “across the pond” back in August, with the announcement that United Kingdom (UK) data breaches are up 1000% in five years. Here’s an excerpt:
“According to the data, local government data breaches have increased by 1609%, with the next largest increases coming from other public sector organizations (1380%) and the private sector (1159%). Data breaches in the NHS have increased by 935%, and central government breaches are up by 132%. The average increase across all eight recorded sectors since 2007 is 1014%.”
Not to be left out, private sector breaches in America are equally as daunting. Fishnet Security initially reported the following expectations at the beginning of 2012:
“Data Breaches Expected to Rise - The majority of respondents (97%) stated that the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.
Top Three Threat Sources - Executives and security practitioners believe that the top three computing sources that present the greatest threats to information security today are Mobile Computing (35%), Social Networks (27%) and Cloud Computing Platforms (18%).
Cloud Computing Moving Up the Risk Ladder - While 31 percent of respondents believe Mobile Computing will remain the top threat area for the next two years, 28 percent believe that over this same two-year period Cloud Computing will replace Social Networks as the second-riskiest computing environment.
Mobile Computing is a Growing Concern in Data Breaches - Nearly a third of respondents (30%) expect Mobile Computing to increase the most among all data breach sources this year. Organized Cybercriminal Hackers (25%) came in second, while Accidental Exposure of Data (19%) came in third.”
So What Other USA Breaches Have We Seen This Year?
This Network World slide show listed the top breaches through June 2012. Naming 13.73 million records within 189 major breaches, while the government breaches are mentioned, the top two breaches named were:
1) “New York State Electric & Gas Co. - Number of records exposed: 1.8 million files that contained customer Social Security numbers, dates of birth and bank account number, due to unauthorized access by a contractor.
2) Global Payments, Inc. - Atlanta, Ga. - No. of records exposed: 1.5 million payment-card numbers, plus in June the company disclosed its investigation is also turning up potentially hacked servers with names of merchant applicants.”
A Plot Against the Internet?
One story that does seem to be getting quite a bit of year-end attention is what Politico calls “The plot against the Internet.” No, this is not some new malware or distributed denial of service (DDOS) attack, but a possible change of Internet governance. Here’s an interesting excerpt:
“The hype is a perfect storm for Matt Drudge: The U.N. will take over the Internet — unless you act fast…. What’s more likely — almost certain to happen, really — is that the World Conference on International Telecommunications will fail to change much of anything about the way the Web works or who cashes in during the two weeks of meetings that start Monday in this Middle Eastern enclave....
Conservative commentators have taken up the case. Wall Street Journal columnist Gordon Crovitz this week wrote a piece with the headline ‘The U.N.'s Internet Sneak Attack,’ arguing that ‘having the Internet rewired by bureaucrats would be like handing a Stradivarius to a gorilla….’”
Meanwhile, Google also posted a message on their front search page about supporting a free and open Internet with a link to this page, which discusses options for getting involved. Their page headline is "a free and open world depends on a free and open web."
In conclusion, 2012 (minus December) has already been one of the top years for data breaches, and certainly the most significant year for government data breaches at the state and local level. The breach trends do not look good going into 2013.
Of course, the presidential election news in 2012 and the current fiscal cliff headlines continue to move cybersecurity stories and breach headlines into a lower priority category for citizen engagement. True, these breach stories get some front-page attention, but the news-talk radio focus is simply not there yet.
However, I believe that sooner or later these issues will be seen as a national crisis that needs to be addressed with an additional level of focus. The country is also ready for a change in the way we communicate credit card, social security, health records and other sensitive information. Passing this data around openly plastic cards, telephones and unencrypted emails is simply too 20th century.
We’ll get there, but we just need to work through our “hot” topics one at a time.
What are your thoughts on the data breaches we’ve seen in 2012? Where are we headed in 2013?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.