Large businesses spend too much money trying to comply with cybersecurity mandates and not enough to keep their high-value secrets from being stolen, according to a new study from Forrester Research.
"Enterprises are overly focused on compliance and not focused enough on protecting their secrets," said the study, which was released yesterday by Microsoft Corp. and RSA, the security division of EMC.
Forrester separated sensitive data into two groups: company secrets and custodial data. "Legislation, regulation, and contracts compel enterprises to protect custodial data," it noted. "Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost, or stolen, it changes state."
"Data that is ordinarily benign transforms into something harmful," it warned. "When custodial data is spilled, it becomes 'toxic.'"
Businesses that participated in Forrester's survey indicated that they spent about equal amounts protecting trade secrets and custodial data. But the survey suggested that trade secrets were much more valuable and needed more protection. -- TL
Tuesday, April 6, 2010
Friday, March 19, 2010
Rules of Cyber War
"The Washington Post" this morning published an interesting report about the U.S. dismantling a Saudi Arabian website that anti-U.S. forces might have been using to coordinate attacks in Iraq. The article raises questions about the adequacy of U.S. policies governing cyber war.
When George W. Bush was president, intelligence officials apparently were forced "to refine doctrine as it executed operations," the article says. "Cyber was moving so fast that we were always in danger of building up precedent before we built up policy," former CIA Director Michael Hayden told the paper.
One question raised by the story deserves additional discussion: When is a cyber attack outside the theater of war allowed? Some military strategists would argue that the theater of war has no boundaries in cyberspace. "Every networked computer is on the front line," the U.S. Joint Forces Command said in a report released this week. In other words, if the U.S. is at war and its adversaries are using cyberspace, then all of cyberspace is a war zone.
Another puzzling aspect of the story: If the troublesome website was established by the CIA and Saudi government to gather intelligence on jihadists, why did it take a team of NSA experts to dismantle the site, with resulting collateral damage to other parts of the Internet? -- TL
When George W. Bush was president, intelligence officials apparently were forced "to refine doctrine as it executed operations," the article says. "Cyber was moving so fast that we were always in danger of building up precedent before we built up policy," former CIA Director Michael Hayden told the paper.
One question raised by the story deserves additional discussion: When is a cyber attack outside the theater of war allowed? Some military strategists would argue that the theater of war has no boundaries in cyberspace. "Every networked computer is on the front line," the U.S. Joint Forces Command said in a report released this week. In other words, if the U.S. is at war and its adversaries are using cyberspace, then all of cyberspace is a war zone.
Another puzzling aspect of the story: If the troublesome website was established by the CIA and Saudi government to gather intelligence on jihadists, why did it take a team of NSA experts to dismantle the site, with resulting collateral damage to other parts of the Internet? -- TL
Thursday, March 18, 2010
Flirting with Regulation
Companies that control key infrastructure have so far remained largely free of regulations to ensure that their information technology systems are secure. But policy-makers appear to be in the early stages of considering such rules.
Exhibit A: Legislation that would require the Department of Homeland Security to study an assortment of regulations was adopted this week by a House subcommittee. The bill allocates funds for research into, among other things, the efficacy of (1) "mandated reporting of security breaches" that threaten critical infrastructure; (2) "regulation that imposes, under threat of civil penalty, best practices" on operators of critical infrastructure; and (3) "accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted 'red-team' simulated attacks or exercises."
Exhibit B: The "Rockefeller-Snowe Cybersecurity Act" introduced this week would require the president and critical infrastructure industries to develop cybersecurity best practices, which the companies would be expected to follow. Independent audits would be conducted, and companies that fell short would have "to work collaboratively with the government and private sector colleagues within their critical infrastructure sector (via existing sector coordinating councils) to develop and implement a collaborative remediation plan."
Exhibit C: The FCC's national broadband plan unveiled this week proposes expanding network outage reporting rules that now apply only to traditional telephone service. The FCC would like the rules to apply to all broadband network services. The FCC also proposed a "voluntary cybersecurity certification program" for businesses.
None of the above examples present major challenges for the private sector. In fact, several industry associations have successfully steered Congress and the FCC away from regulatory solutions for cybersecurity. But policy-makers like to create rules, and they're still learning about cybersecurity. -- TL
Exhibit A: Legislation that would require the Department of Homeland Security to study an assortment of regulations was adopted this week by a House subcommittee. The bill allocates funds for research into, among other things, the efficacy of (1) "mandated reporting of security breaches" that threaten critical infrastructure; (2) "regulation that imposes, under threat of civil penalty, best practices" on operators of critical infrastructure; and (3) "accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted 'red-team' simulated attacks or exercises."
Exhibit B: The "Rockefeller-Snowe Cybersecurity Act" introduced this week would require the president and critical infrastructure industries to develop cybersecurity best practices, which the companies would be expected to follow. Independent audits would be conducted, and companies that fell short would have "to work collaboratively with the government and private sector colleagues within their critical infrastructure sector (via existing sector coordinating councils) to develop and implement a collaborative remediation plan."
Exhibit C: The FCC's national broadband plan unveiled this week proposes expanding network outage reporting rules that now apply only to traditional telephone service. The FCC would like the rules to apply to all broadband network services. The FCC also proposed a "voluntary cybersecurity certification program" for businesses.
None of the above examples present major challenges for the private sector. In fact, several industry associations have successfully steered Congress and the FCC away from regulatory solutions for cybersecurity. But policy-makers like to create rules, and they're still learning about cybersecurity. -- TL
Tuesday, March 16, 2010
Beyond Boilerplate
The national broadband plan that the FCC issued today offers few surprises in the cybersecurity realm. The plan was assembled in public, and its recommendations -- at least those pertaining to cybersecurity -- were largely known weeks ago.
In some ways, however, the FCC has managed to one-up other agencies by offering proposals that might actually move the ball on cybersecurity policy. For example, the FCC wants to require broadband service providers to follow the network outage reporting rules that now apply only to traditional telephone service.
"The timely and disciplined reporting of network outages will help protect broadband communications networks from cyber attacks by improving the FCC’s understanding of the causes and how to recover," the report says. "This will help improve cybersecurity and promote confidence in the safety and reliability of broadband communications."
Another example: The FCC wants to create a "voluntary cybersecurity certification program." It notes that many businesses aren't making cybersecurity a priority.
"A voluntary cybersecurity certification program could promote more vigilant network security among market participants, increase the security of the nation’s communications infrastructure, and offer end-users more complete information about their providers’ cybersecurity practices," the plan says.
Sure, the plan also contains the conventional boilerplate recommendations about multi-year roadmaps, milestones, public awareness, and international outreach. But it appears that somebody at the FCC is unafraid to consider new cybersecurity rules and programs. -- TL
In some ways, however, the FCC has managed to one-up other agencies by offering proposals that might actually move the ball on cybersecurity policy. For example, the FCC wants to require broadband service providers to follow the network outage reporting rules that now apply only to traditional telephone service.
"The timely and disciplined reporting of network outages will help protect broadband communications networks from cyber attacks by improving the FCC’s understanding of the causes and how to recover," the report says. "This will help improve cybersecurity and promote confidence in the safety and reliability of broadband communications."
Another example: The FCC wants to create a "voluntary cybersecurity certification program." It notes that many businesses aren't making cybersecurity a priority.
"A voluntary cybersecurity certification program could promote more vigilant network security among market participants, increase the security of the nation’s communications infrastructure, and offer end-users more complete information about their providers’ cybersecurity practices," the plan says.
Sure, the plan also contains the conventional boilerplate recommendations about multi-year roadmaps, milestones, public awareness, and international outreach. But it appears that somebody at the FCC is unafraid to consider new cybersecurity rules and programs. -- TL
Wednesday, March 10, 2010
Tightening the Screws
Look out, Waledac botnet. Microsoft isn't done with you yet.
Not content with merely disabling the botnet's lines of communications, Microsoft this week asked a federal court for permission to serve subpoenas on Internet service providers and set up a system to capture IP addresses that contact the domains formerly used by the botnet.
The purpose: to locate the botnet's unknown human operators. "Microsoft has good reason to believe that it will be able to identify, name, and serve the 'John Doe' defendants if granted authority to conduct formal discovery for 90 days," the company told the court in a March 9 request.
Microsoft has located one of the John Does in Beaverton, Ore., and has decided that his domain was being used by an unknown third party. He apparently is cooperating with the company. The other 26 defendants, however, are thought to be in China. The judge is expected to rule on Microsoft's request next week. -- TL
Not content with merely disabling the botnet's lines of communications, Microsoft this week asked a federal court for permission to serve subpoenas on Internet service providers and set up a system to capture IP addresses that contact the domains formerly used by the botnet.
The purpose: to locate the botnet's unknown human operators. "Microsoft has good reason to believe that it will be able to identify, name, and serve the 'John Doe' defendants if granted authority to conduct formal discovery for 90 days," the company told the court in a March 9 request.
Microsoft has located one of the John Does in Beaverton, Ore., and has decided that his domain was being used by an unknown third party. He apparently is cooperating with the company. The other 26 defendants, however, are thought to be in China. The judge is expected to rule on Microsoft's request next week. -- TL
Thursday, March 4, 2010
Blaming China
China is frequently blamed for cyber attacks on the U.S., although Chinese authorities complain that they are just as often victims. A new article in Foreign Policy offers a more nuanced portrait of the Chinese government's role.
"The hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented -- and sometimes unruly -- patriotic hackers," it reports. "Mix together widespread youth nationalism with a highly wired population -- China now boasts the most Internet users in the world, with 384 million people online -- and out comes patriotic hacking."
"The fact that these hackers' interests overlap with Chinese policy does not mean they are working on behalf of Beijing," it adds. "It helps, however, that Beijing turns a blind eye to their attacks."
On the latter point, some U.S. cybersecurity experts would like the U.S. government to take a stronger stance toward countries that tolerate cyber attacks. "We talk to Russia and China about a lot of things, but we've never made this a big issue," noted Richard Clarke, a former White House cybersecurity adviser, during an appearance this week at the RSA conference in San Francisco.
His solution: an international treaty that would require national governments to crack down on hackers within their borders and cyber "arms control" that would acknowledge that governments have an incentive to use cyberspace to attack and spy on adversaries, but would limit the tools and techniques they could use. -- TL
"The hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented -- and sometimes unruly -- patriotic hackers," it reports. "Mix together widespread youth nationalism with a highly wired population -- China now boasts the most Internet users in the world, with 384 million people online -- and out comes patriotic hacking."
"The fact that these hackers' interests overlap with Chinese policy does not mean they are working on behalf of Beijing," it adds. "It helps, however, that Beijing turns a blind eye to their attacks."
On the latter point, some U.S. cybersecurity experts would like the U.S. government to take a stronger stance toward countries that tolerate cyber attacks. "We talk to Russia and China about a lot of things, but we've never made this a big issue," noted Richard Clarke, a former White House cybersecurity adviser, during an appearance this week at the RSA conference in San Francisco.
His solution: an international treaty that would require national governments to crack down on hackers within their borders and cyber "arms control" that would acknowledge that governments have an incentive to use cyberspace to attack and spy on adversaries, but would limit the tools and techniques they could use. -- TL
Tuesday, March 2, 2010
Meet John Doe
John Doe no. 21 lives or works -- or picks up his (or her) -- mail at Jiuyangxi Road 12 in Shanghai. Number 22 has some sort of office in a shopping center in Beaverton, Ore., near a Computer Moms outlet and Beaverton Ship & Pack.
Altogether, there are 27 of these John Does, according to Microsoft Corp., and they are -- or were -- in charge of a huge botnet known as Waledac. The past tense might be appropriate because Microsoft claims it has beheaded Waledac.
With a court order in hand, Microsoft has disabled 277 Internet domains that helped Waledac's brain communicate with its body -- the thousands of "zombie" PCs that the botnet commandeered to do its dirty work, including reproducing itself and sending out spam pushing dubious products and services.
Some security experts doubt that Microsoft has killed Waledac, but its approach is novel. It obtained a temporary restraining order that required VeriSign, Inc., which controls ".com" Internet names, to pull the plug on the domains that Microsoft believes were a major part of the botnet's communications infrastructure.
The restraining order expires on March 8, but that might not be a problem for Microsoft. Judge Leonie Brinkema, of U.S. District Court for the Eastern District of Virginia, has ordered all 27 of the John Does to attend a March 8 hearing "to show cause, if there is any," for not making the injunction permanent and taking further action against them for violating an assortment of U.S. laws. John Doe no. 21 better call his travel agent. -- TL
Altogether, there are 27 of these John Does, according to Microsoft Corp., and they are -- or were -- in charge of a huge botnet known as Waledac. The past tense might be appropriate because Microsoft claims it has beheaded Waledac.
With a court order in hand, Microsoft has disabled 277 Internet domains that helped Waledac's brain communicate with its body -- the thousands of "zombie" PCs that the botnet commandeered to do its dirty work, including reproducing itself and sending out spam pushing dubious products and services.
Some security experts doubt that Microsoft has killed Waledac, but its approach is novel. It obtained a temporary restraining order that required VeriSign, Inc., which controls ".com" Internet names, to pull the plug on the domains that Microsoft believes were a major part of the botnet's communications infrastructure.
The restraining order expires on March 8, but that might not be a problem for Microsoft. Judge Leonie Brinkema, of U.S. District Court for the Eastern District of Virginia, has ordered all 27 of the John Does to attend a March 8 hearing "to show cause, if there is any," for not making the injunction permanent and taking further action against them for violating an assortment of U.S. laws. John Doe no. 21 better call his travel agent. -- TL
Subscribe to:
Comments (Atom)