After finishing Joseph Menn’s book, “Fatal System Error,” a few months ago, I blogged about the book’s value. This is a no-nonsense profile of the world of cybercrime that anyone associated with cybersecurity policy or practice should read. I’ve heard similar things about Richard Clarke’s new book, “Cyberwar,” and am awaiting the shipment of my copy soon.
As far as the list of “must read” books about cybersecurity goes, allow me to submit another entry — “The Illusion of Due Diligence” by my old friend Jeff Bardin. Jeff is a veteran security professional with experience in both the public and private sectors.
Throughout Jeff”s career, he has been extremely diligent about finding risks, threats, and vulnerabilities and then candidly articulating the details to business managers. In his investigations, Jeff has also uncovered evidence of past breaches that were either never discovered or simply swept under an organizational rug. When approaching senior management, Jeff pulls no punches about problems but also tends to accompany the bad news with a detailed plan for risk reduction.
Jeff”s book uncovers a sad and serious problem that most security professionals are all too familiar with. Unfortunately, security risk and remediation is often a political hot potato. After hearing about security issues from someone like Jeff, some managers ignore the risks or claim that the problems only apply to IT and not the business. Even worse, other CEOs blame the security staff and then mandate that they keep silent. Still others fudge their compliance reporting.
In his book, “The Illusion of Due Diligence,” Jeff describes this disconnect between security and business management with stories of some of the worst abuses he has seen throughout his career. It’s pretty scary stuff but almost any security professional will tell you it happens all the time.
Hopefully this report from the corporate security trenches will shake some corporate boards and legislators up. With the fragile state of cybersecurity, we should be doing everything we can to protect our digital assets. When pros like Jeff tell the CEO that they have big problems, you’d think they would respond with immediate action but many simply look the other way. In my view, this type of blatant neglect is as bad as a hacker’s criminal intent.
Jeff’s book won’t get the publicity or distribution of Richard Clarke’s and Joseph Menn’s but I believe it is worth digging around, finding a copy, and passing it on to the CEO, CIO, and CISO at your organization. While Clarke and Menn describe a sophisticated foe, Bardin points out that corporate greed, ignorance, and neglect may be the enemy within.
Tags: cybercrime, Cybersecurity, Cyberwar, Fatal System Error, Jeff Bardin, Joseph Menn, Richard Clarke, The Illusion of Due Diligence Posted in Uncategorized | 2 Comments »
Here is another must read New York Times article providing more details about the cyber attack at :
Apparently the bad guys became cyber stowaways — unwelcome and undetected network occupants. Once network access was secured, the cyber stowaways fished around until they found the source code to Google’s password system that controls access by millions of users to Google services. While Google has since added new layers of security, it is still possible that the attackers inserted a Trojan Horse/back door in the password system or studied the code to discover other software vulnerabilities.
Google has some of the smartest software engineers in the world so it is likely that they can stay one step ahead of the bad guys, but the lessons of the Google breach should send up a red flag elsewhere for several reasons:
The bad guys are extremely good at what they do and in many cases, we are several steps behind. There could be cyber stowaways on lots of major commercial, government, and military networks just sitting there, biding their time, and waiting for the right opportunity or target. I hope this realization is now emanating in corporate boardrooms, congress, DHS, DOD, and NSA.
Tags: China, cybercrime, DHS, DOD, Google, NSA Posted in Uncategorized | No Comments »
On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”
With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:
If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!
Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.
Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.
Tags: cybercrime, Cybersecurity, Cybersecurity coordinator, DHS, Federal Government, Howard Schmidt, President Obama, Stephen Chabinsky Posted in Uncategorized | 1 Comment »
More details from FBI Deputy Assistant Director Steven Chabinsky’s keynote at FOSE. Chabinsky described several sophisticated attributes about the cybercrime underworld:
Are you scared yet?
Tags: Chabinsky, cybercrime, FBI, Steven Chabinsky Posted in Uncategorized | No Comments »
Here at the FOSE show in Washington DC, cybersecurity and cybercrime are hot topics of conversation.
I attended a keynote presentation by Steven R. Chabinsky, Deputy Assistant Director, Cyber Division of the FBI yesterday. Mr. Chabinsky did not soft sell cybersecurity and cybercrime; rather, he described the current situation in very stark terms. First, he stated that cybercrime is one of the FBI’s top three priorities. Chabinsky described the threat as follows: “A serious cyber attack is a potential game changer. It represents an existential threat, one that threatens our nation.”
So are we vulnerable? According to Chabinsky, “a determined adversary with enough time and resources will always be able to penetrate a targeted system.” The result? “Everything is being stolen–wholesale.”
Chabinsky did a good job of describing cybercriminal organizations, breaking down the division of labor, specialties, and sophistication associated with these groups. He also went through a few extreme examples. A global cybercrime syndicate broke into an encrypted file containing ATM passwords. Within 24 hours, the group had created 400 phony ATM cards in 287 countries and made over 14,000 ATM transactions. In one day, they stole over $10 million.
Very scary stuff, but Mr. Chabinsky also described some of the progress being made by the FBI. The FBI Cybersquad is now in place in 56 FBI field offices around the world. Every new FBI agent must go through cybercrime and cybersecurity training at Quantico. Combined with international partners, the FBI has 60 legal attache offices around the world and it made 230 arrests last year.
In spite of the progress, the overall picture painted by Chabinsky was pretty scary. To his credit, he didn’t shy away from this reality. He ended his keynote with a plea to the security community recommending that audience members be vocal and vigilant, point out security vulnerabilities, question vendors, and constantly look to improve cyber defenses. Chabinsky stated, “there is a need for a public dialogue–our economic and national security is at stake.”
Tags: cybercrime, Cybersecurity, FBI, Steven Chabinsky Posted in Uncategorized | No Comments »
With the tremendous growth in malware, identity theft, and online scams, you’d think that every PC owner in the world would make Internet security software a “must have” before connecting to the Internet. Unfortunately, this assumption is dead wrong. Believe it or not, lots of industry research indicates two huge misconceptions still exist:
Folks like these need a cybersecurity wake-up call ASAP. They also need simple security tools they can access and install without technical help.
Fortunately there is a bit of good news. Free antivirus software seems to be gaining a foothold, especially in emerging markets around the world. AVG is a freeware leader, but others packages like Immunet and PC Tools are also gaining appeal. Finally, Microsoft Security Essentials is now running on about 12 million PCs throughout the world. Microsoft deserves credit here for providing a free security offering that boasts strong protection and ease-of-use functionality.
These reputable free AV packages may help bridge the security gap by protecting previously unprotected machines. Unfortunately, the bad guys are outperforming their more altruistic counterparts. Back in late 2008, PandaLabs estimated that 30 million users had fallen victim to fake AV scams and my guess is that the number is up to over 50 million by now. Last year’s Conficker worm was purpose-built to push this scam even further.
The bad guys know a good con when they see one. Many of the fake AV programs are “packaged” (i.e., fake ads show fake packaging) to look like McAfee, Symantec/Norton, Trend Micro, and others. The names even sound like real Internet Security or mainstream software. Fake names include Vista AV, Security Essentials 2010, Antivirus 360, etc.
Ultimately, fake AV kicks unsuspecting users in the teeth. Instead of buying protection, they are actually buying malware that gets installed on their systems, turns them into zombies, or steals personal information.
To those of us in the IT and cybersecurity industries, these scams are relatively easy to spot, but your parents, grandparents, friends, or kids who aren’t as tech savvy need to be warned. Let these folks know about the good free offerings from AVG, Immunet, Microsoft, and PC Tools and warn them about the scams.
We need more public education about cybersecurity risks and threats–but in lieu of this, lets get viral and spread the word.
Tags: Antivirus, AVG, cybercrime, Immunet, Microsoft, PandaLabs, Symantec Posted in Uncategorized | 1 Comment »
Call it endpoint security, antivirus, or Internet security: the security software we all run on our PCs may be one of the most important, yet misunderstood areas of computing. ESG and other research suggests that many users believe one or several of the following:
A far larger percentage of our fellow citizens believe one or several of these myths, install sub-standard endpoint security, or somehow believe that they are immune to malware infections and never deploy security software. If we are lucky, their systems are compromised, private data is stolen, and they learn their lesson. Unfortunately, these cavalier attitudes or ignorance threaten us all by creating huge botnets poised for attack.
My advice to all PC and Mac users: install endpoint security ASAP and Caveat Emptor. Choose the best security software you can find and don’t squabble over 20 bucks to get a leading endpoint security solution. Finally, stay vigilant as security software alone won’t protect you. Educate yourself on current Internet and social engineering threats. It’s a dangerous digital world.
Tags: Antivirus, cybercrime, Cybersecurity Posted in Uncategorized | 1 Comment »
Your email:
