Monday, May 26, 2014

For the past twelve weeks, the students in the Bellevue University Cyber Security Master’s degree program taking the CYBR 650, Current Trends in Cyber Security Class have experience several learning opportunities. We spent considerable time reviewing past courses and assignments in preparation for developing a process model and creating a system analysis for a real or fictional cyber security network. Developing the process model required us to formalize a means of diagraming how to determine a threat and to repeat the process for emerging or newly identified issues. The systems analysis required us to identify the “as-is-state” of the cyber security system used in the process model to develop a network diagram, identify physical description of the facilities, documentation of the policies, standards, and procedures required from the case study. In addition, we have investigated several trends associated with cyber security. Specifically, we looked at how these trends have impacted the security of computer systems and what is needed to protect these systems. Expansion of cloud computing has introduced new vulnerabilities and threats into the world of computing. Cloud computing has added a third dimension to the, heretofore relatively planar concept of computing. In the past computing was limited to one person to one computer, then progressed to the networks, wired and wireless. The next step of the progression, of course, is to add a third dimension, whereby, multiple devices are connected to a single or multiple individuals – cloud computing. With each step of progression, the security needs are increase exponentially. For example, the posting indicates that there may be a conflict of interest introduced into the security model for cloud computing. The enterprise must be aware of potential conflicts of interest and/or ensure appropriate agreements are in place to prevent and eliminate such conflicts. The cyber security job market is exploding. The need for trained, certified and qualified personnel to fill these jobs is not being met fast enough. The news media is replete with stories about the hot job market in cyber security. The rate of online attacks against companies and government agencies is causing the cyber security job market to grow at 3.5 times the pace of the overall IT job market. This rate of growth is 12 times the overall job market making it the most highly-sought after fields in the country. The threats from cyber attacks are coming from within the US and from abroad also. This is disconcerting to many and the need for cyber security specialists is ever expanding. It seems that everything is under attack, including all manner of infrastructure. The demand for cyber security experts grew 73% during the five years from 2007 through 2012. Compensation for cyber security experts, including engineers, analysts, managers, architects and others is averaging over $101,000/annum, whereas, the average IT job is only paying $89,000. If one does not already have a job in this area but they have the education and experience, gaining employment should be rather easy. Another trend in the industry is the Bring Your Own Device or BYOD, whereby, corporations are replacing their owned devices for those their employees own. Mobile devices and their apps are becoming ingrained into the business culture, and their complexity is growing with their popularity. This includes the operating systems, security, and ownership. They are being integrated into the daily business processes and operations of organizations, improving productivity and becoming a critical, yet complex, component of the computing environment. Mobile devices and their apps are becoming more powerful than their counterpart personal computers. As with any new and very popular technology, there are those out there who will find a way to outsmart the unprotected smart devices giving them access to even more valuable backend data such as bank accounts, corporate (organizational) intellectual property and personal health information. The industry has seen a significant uptick in mobile malware according to a report by Juniper Networks. Something I hadn’t considered was the need for cyber security insurance. Of course it stands to reason that if there is money to be made, the insurance industry would find a way to do so. The Ponemon Institute conducts independent research on privacy, data protection and information security policy. Its mission is to assist private and public enterprises in understanding the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. The Ponemon Institute research educates these enterprises organizations on how to better protect their data, and in doing so, help with their brand and reputation as a trusted enterprise. As part of its research, the Ponemon Institute estimates organizations were hit by $5.4 million in costs per data breach in 2013. This is an increase of 26% from the year before. According to the Ponemon Institute, enterprises are opting automatically to purchase cyber insurance. The study also determined that approximately 40% of their study subjects have the insurance, whereas, and other 40% are planning on purchasing such insurance. The trend here is for company’s that are more regulated are more likely to purchase cyber insurance. Also, larger, more sophisticated companies are more likely to purchase the insurance. They are most likely able to afford it, can spread the costs more easily, and have much more to lose in reputation. Retailers are especially slow, however, this trend is, too, picking up. Universities, who are subject to a large trend in breeches, are also slow to purchase insurance. However, they are not as regulated as most and they are considered as an institution (of higher learning) and not as a business, which in fact they are. Many businesses use satellite communications to upload and download information and data. This includes, for example, Walmart Stores, which use both the telephone system (T1 lines) to download information and satellites services to upload. (Note: the power to send information to a satellite is prohibitive for a single store, but the corporate headquarters can provide (afford) the necessary power/service to hundreds of its stores.) The principal threats associated with satellite transmissions are similar to those of the wired/wireless cyber networks. However, satellite communications provide other avenues of disruption. One of the greatest weaknesses of the satellite system is its GPS control system. Here, spoofing is the biggest vulnerability. GPS spoofing can be used to hijack a drone or a vessel. The good news pertaining to satellite hacking is that it takes expensive and specialized equipment. Your normal teenager hacker is not likely to conduct such operations, but certainly, governments, like the US and Russia, have the technology and resources to conduct such an evolution.

Monday, May 12, 2014

Russia has a broad concept of information security that is very different from the West. The September 2000Doctrine of Information Security of the Russian Federation— released shortly after Putin ascended into the Russian presidency—sets forth three objectives. The international front requires influencing the United Nations through the definition of terms, such as those pertaining to information weapons. A second approach on this front is the influence on the shaping international opinion on the development of the information society. The second prong pertains to the securing of domestic information security. The internal policies are aimed at technical issues such as cyber-crime and psychological issues such as the information-psychological stability of society. This is haughty language to say that the Russians do not like the threat from news sources external to the Russian Federation. The Russian policy makers understand the vulnerability of their society to disinformation provided from external sources. Finally, the third prong requires the military to modernize itself in both command-control and information-based equipment. It also recognizes the need to improve the psychological stability of its fighting force. The military needs to provide objective reporting to its soldiers to enhance their patriotism. The coach of the 1980 US Olympic Hockey Team, Herb Brooks, determined that in order to win against the Russians, the US would need to play the game the way the Russians played, only better. Brooks developed a hybrid of American and Canadian style and the faster European style, which emphasized creativity and teamwork. The strategy worked. In order for the US to succeed against the Russian cyber onslaught, we will need to adopt the same approach.

Monday, May 5, 2014

The article “Ethics Online” provides three ethical aspects of communication: scope, anonymity, and reproducibility. Not since the mid-15th Century has the consequences of these three aspects been brought to the forefront of communications ethics. The invention of the moveable type printing press by Gutenberg provided a prompt jump in the communication of ideas. With this advancement in technology, authorship became attributable and traceable and anonymity was no longer obscured. Reproducibility of the printed word during the Renaissance period by Europeans outpaced their counterparts in the Far East by a factor of 90. The Gutenberg press increased the spread and reproducibility of the written or printed word and ideas. Unlike the today’s communications technologies however, the Gutenberg press decreased the anonymity of authors. Between the time of the invention of the Gutenberg press and the advancement of today’s communication technologies, another revolution took place. The sexual revolution of the 1960’s changed the sexual morals of Western societies. “Relationships” and “partners” became euphemism for what was once referred to as “shacking up” and “gay sex”. An upside of this revolution is that the female half of society is allowed to make their own way in the world, have careers, and raise children without the necessity of having a relationship with a man. While the sexual revolution was intended to liberate adults, this liberated sexuality is communicated to those not sufficiently mature to make appropriate decisions. Sexting is a convergence of the modern communications and sexual revolutions and has affected all segments of society, including teens and supposedly responsible lawmakers. Texting is far less damaging than its thousand-word counterpart, but it too has its disastrous results. Both proposed and enacted legislation is intended to counter the effects of these two media. The virtually unlimited scope of distribution and relative ease of reproducibility coupled with the, anonymity or in some cases false sense therein, takes the ethical and moral repercussions of the distribution of the results of these modern day Gutenberg presses to new heights. And too, sexting and texting have raised their ugly heads in the workplace. Inappropriate use of these media can lead to accusations of privacy violations and sexual harassment. Although these have results similar to those found in the private sector, a more formidable issue lies with corporate financial implications. The news of events occurring within the workplace, a fire, injury, death, even organizational changes or financial disclosures are often communicated before the corporate Chief Executive Officer (CEO) can issue a press release. Recently, an earthquake occurred at the San Onofre Nuclear Generating Station (SONGS) in California. Within seven minutes of the event, the President of the United States called the control room of the nuclear plant to get a report on the safety of the facility. One of the challenges facing corporate communications is the speed, scope of distribution, anonymity of sources, and reproducibility of information, at which news travels and the escalated need for damage control before damage does indeed occur. If corporations expect to provide for their fiscal security they will need to adapt to evolving communications technologies. The primary preemptive strategy is to limit the distribution of information. Communications awareness programs make employees aware of the implications of divulging information to the news media, whether intentional or not. The corporate catch-phrase to be used by employees approached by the news media is, “Our Corporate Communications can answer that question.” Another strategy is that corporations hire consulting agencies which monitor the blogosphere and provide information on the corporations own blog site. Rumors are quickly and succinctly challenged and dispelled with accurate and credible information.

Wednesday, April 30, 2014

The use of nuclear energy to produce electric power is found in approximately 13% of the World’s countries. Some of the biggest producers of electric power in this manner are the United States of America, Japan, China, France, United Kingdom and Russia. Countries that rely on a smaller percentage of their electric needs include Sweden, and South Korea. At this time, nuclear power plants reactors are under construction in Brazil, South Korea. There are over 440 Operating Nuclear Power Plants worldwide. Most countries rely on light water nuclear reactors, which are inherently safe, with the gas-cooled, graphite moderator reactor being the safest. Canada, however, relies on heavy water nuclear reactors, which when compared to light-water reactors, are far more dangerous to run, and therefore provide additional risk relative to cyber-security. Similarly, the Russian Chernobyl reactor design, a high-power channel reactor is a combination pressurized water-cooled reactor with individual fuel channels and using graphite as its moderator, whose design has core characteristics that make it prone to power surges. The disaster at Chernobyl depicts very well the threat of this reactor design and the potential threat of the peaceful use of the atom. In anticipation of issues, which are naturally going to occur, the United Nations, in 1957, established the International Atomic Energy Agency (IAEA) whose intent is to provide a word-wide collaborative effort between States regarding the use of nuclear energy for peaceful means or “Atoms for Peace.” The programs of the IAEA encourage the development and sharing of information for the peaceful applications of nuclear technology, provide international safeguards against misuse of nuclear technology and nuclear materials, and promote nuclear safety. The mission of the IAEA includes development of nuclear security standards and their implementation. In this regard, nuclear security involves the prevention, detection, and response to, criminal or intentional, unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities, or associated activities, and other intentional acts that could directly or indirectly produce harmful consequences to persons, property, society or to the environment.

Sunday, April 27, 2014

The cyber threat to the infrastructure of the United States of America is well known and understood. This threat is against all forms of infrastructure including basic utilities that including communications systems, power and water distribution and production capabilities. Most citizens don’t appreciate the infrastructure behind talking on their new cell phone or in switching on the electric lights in the morning. Electric generating plants convert thermal energy from a boiler (using coal, oil or gas), or a nuclear reactor (using uranium), into mechanical energy which in turn, is converted into the electrical energy we all use in our homes and businesses. The process is extremely complex and requires a substantial amount of automation. Most of this automation comes in the form of digital controls and although this automation significantly increases both the reliability and capacity of the nuclear powered electric generating station, digital controls offer a significant threat to the safe operation of the facility. The need for cyber-security for the nuclear power plant stems from Federal regulations that require the physical protection of such requirements. Although these regulations have been in place for decades, the emergence of cyber-security regulations are only recent. This introduction of new regulations, especially after the emergence of the newer digital technologies has placed a significant resources burden on the nuclear power plant. Initial systems were not designed for required security measures, i.e., password protection and automatic auditing of systems. In addition, the additional regulations are costly to implement. Of course, the electric utility only passes on these costs to the consumer.

Monday, April 14, 2014

The Heartbleed bug is in the news. The bug, found in a software library used in servers, operating systems and email / instant messaging systems. OpenSSL or open-source secure-socket layer provide cryptographic protocols designed to provide secure communications over the internet. SSL uses the X.509 or public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) security. The core library implements basic cryptographic functions and provides various utility functions. The vulnerability was initiated when the maintainer of Debian (open-source product for operating systems) issued a patch to prevent the Valgrind analysis tool from initiating error messages. Apparently, the patch was not adequately tested. The patch broke the random number generator. This occurred with the Debian release of September 2006, version 0.9.8c-1. Some sources contend the bug occurred in 2011 and 2012.The result is that any key generated with the broken number generator, along with any encrypted data, was compromised. These problems were recently corrected. However, any data transmitted in the mean time, including any user names and passwords are compromised. The good news here is that the bug was not intentional and the discovery is through peer review and not through some form of hacker, although some sources contradict this latter position. Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. On April 12, 2014, two independent researchers were able to steal private keys using this attack from an experimental server. Also, some sources indicate the US National Security Agency also discovered the bug but kept this news to itself in order to exploit it. http://www.bbc.com/news/technology-26935905 http://en.wikipedia.org/wiki/OpenSSL http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/X.509 http://en.wikipedia.org/wiki/Heartbleed

Sunday, April 13, 2014

It never amazes me the newest scams on the internet. Apparently, the purveyors of Napster aren’t satisfied with their scamming of the music and video industry, they have new targets. The US Federal Trade Commission (FTC) is investigating the operators of JERK.COM. The operators are scraping data from Facebook, including user names and pictures, and posting the information on the Jerk.com website, along with the moniker JERK or NOT A JERK. Those with the Jerk moniker can pay $30.00 to have the classification revised. Jerk.com has collected more than 73 million names of Facebook subscribers. What is particularly disturbing to the FTC is that some subscribers didn’t give permission and still found the picture on Jerk.com with the moniker “Jerk” attached. When they paid the $30 to have it removed, the moniker remained. Can’t the Jerk.com operators find a more moral endeavor and not resort to underhandedness? Jerk.com took advantage of Facebook’s corporate apps program that allows some gleaning of information. The FTC claims that Jerk.com site abused the system and processes when they collected posted information intended to be private and includes some intimate images, such as a mother breast feeding her baby. Of course the Jerk.com attorney claims the FC is barking up the wrong tree. All this just goes to show that people will make money from any means that is possible.