For the past twelve weeks, the students in the Bellevue University Cyber Security Master’s degree program taking the CYBR 650, Current Trends in Cyber Security Class have experience several learning opportunities. We spent considerable time reviewing past courses and assignments in preparation for developing a process model and creating a system analysis for a real or fictional cyber security network. Developing the process model required us to formalize a means of diagraming how to determine a threat and to repeat the process for emerging or newly identified issues. The systems analysis required us to identify the “as-is-state” of the cyber security system used in the process model to develop a network diagram, identify physical description of the facilities, documentation of the policies, standards, and procedures required from the case study. In addition, we have investigated several trends associated with cyber security. Specifically, we looked at how these trends have impacted the security of computer systems and what is needed to protect these systems. Expansion of cloud computing has introduced new vulnerabilities and threats into the world of computing. Cloud computing has added a third dimension to the, heretofore relatively planar concept of computing. In the past computing was limited to one person to one computer, then progressed to the networks, wired and wireless. The next step of the progression, of course, is to add a third dimension, whereby, multiple devices are connected to a single or multiple individuals – cloud computing. With each step of progression, the security needs are increase exponentially. For example, the posting indicates that there may be a conflict of interest introduced into the security model for cloud computing. The enterprise must be aware of potential conflicts of interest and/or ensure appropriate agreements are in place to prevent and eliminate such conflicts. The cyber security job market is exploding. The need for trained, certified and qualified personnel to fill these jobs is not being met fast enough. The news media is replete with stories about the hot job market in cyber security. The rate of online attacks against companies and government agencies is causing the cyber security job market to grow at 3.5 times the pace of the overall IT job market. This rate of growth is 12 times the overall job market making it the most highly-sought after fields in the country. The threats from cyber attacks are coming from within the US and from abroad also. This is disconcerting to many and the need for cyber security specialists is ever expanding. It seems that everything is under attack, including all manner of infrastructure. The demand for cyber security experts grew 73% during the five years from 2007 through 2012. Compensation for cyber security experts, including engineers, analysts, managers, architects and others is averaging over $101,000/annum, whereas, the average IT job is only paying $89,000. If one does not already have a job in this area but they have the education and experience, gaining employment should be rather easy. Another trend in the industry is the Bring Your Own Device or BYOD, whereby, corporations are replacing their owned devices for those their employees own. Mobile devices and their apps are becoming ingrained into the business culture, and their complexity is growing with their popularity. This includes the operating systems, security, and ownership. They are being integrated into the daily business processes and operations of organizations, improving productivity and becoming a critical, yet complex, component of the computing environment. Mobile devices and their apps are becoming more powerful than their counterpart personal computers. As with any new and very popular technology, there are those out there who will find a way to outsmart the unprotected smart devices giving them access to even more valuable backend data such as bank accounts, corporate (organizational) intellectual property and personal health information. The industry has seen a significant uptick in mobile malware according to a report by Juniper Networks. Something I hadn’t considered was the need for cyber security insurance. Of course it stands to reason that if there is money to be made, the insurance industry would find a way to do so. The Ponemon Institute conducts independent research on privacy, data protection and information security policy. Its mission is to assist private and public enterprises in understanding the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. The Ponemon Institute research educates these enterprises organizations on how to better protect their data, and in doing so, help with their brand and reputation as a trusted enterprise. As part of its research, the Ponemon Institute estimates organizations were hit by $5.4 million in costs per data breach in 2013. This is an increase of 26% from the year before. According to the Ponemon Institute, enterprises are opting automatically to purchase cyber insurance. The study also determined that approximately 40% of their study subjects have the insurance, whereas, and other 40% are planning on purchasing such insurance. The trend here is for company’s that are more regulated are more likely to purchase cyber insurance. Also, larger, more sophisticated companies are more likely to purchase the insurance. They are most likely able to afford it, can spread the costs more easily, and have much more to lose in reputation. Retailers are especially slow, however, this trend is, too, picking up. Universities, who are subject to a large trend in breeches, are also slow to purchase insurance. However, they are not as regulated as most and they are considered as an institution (of higher learning) and not as a business, which in fact they are. Many businesses use satellite communications to upload and download information and data. This includes, for example, Walmart Stores, which use both the telephone system (T1 lines) to download information and satellites services to upload. (Note: the power to send information to a satellite is prohibitive for a single store, but the corporate headquarters can provide (afford) the necessary power/service to hundreds of its stores.) The principal threats associated with satellite transmissions are similar to those of the wired/wireless cyber networks. However, satellite communications provide other avenues of disruption. One of the greatest weaknesses of the satellite system is its GPS control system. Here, spoofing is the biggest vulnerability. GPS spoofing can be used to hijack a drone or a vessel. The good news pertaining to satellite hacking is that it takes expensive and specialized equipment. Your normal teenager hacker is not likely to conduct such operations, but certainly, governments, like the US and Russia, have the technology and resources to conduct such an evolution.

Russia has a broad concept of information security that is very different from the West. The September 2000Doctrine of Information Security of the Russian Federation— released shortly after Putin ascended into the Russian presidency—sets forth three objectives. The international front requires influencing the United Nations through the definition of terms, such as those pertaining to information weapons. A second approach on this front is the influence on the shaping international opinion on the development of the information society. The second prong pertains to the securing of domestic information security. The internal policies are aimed at technical issues such as cyber-crime and psychological issues such as the information-psychological stability of society. This is haughty language to say that the Russians do not like the threat from news sources external to the Russian Federation. The Russian policy makers understand the vulnerability of their society to disinformation provided from external sources. Finally, the third prong requires the military to modernize itself in both command-control and information-based equipment. It also recognizes the need to improve the psychological stability of its fighting force. The military needs to provide objective reporting to its soldiers to enhance their patriotism. The coach of the 1980 US Olympic Hockey Team, Herb Brooks, determined that in order to win against the Russians, the US would need to play the game the way the Russians played, only better. Brooks developed a hybrid of American and Canadian style and the faster European style, which emphasized creativity and teamwork. The strategy worked. In order for the US to succeed against the Russian cyber onslaught, we will need to adopt the same approach.

The article “Ethics Online” provides three ethical aspects of communication: scope, anonymity, and reproducibility. Not since the mid-15th Century has the consequences of these three aspects been brought to the forefront of communications ethics. The invention of the moveable type printing press by Gutenberg provided a prompt jump in the communication of ideas. With this advancement in technology, authorship became attributable and traceable and anonymity was no longer obscured. Reproducibility of the printed word during the Renaissance period by Europeans outpaced their counterparts in the Far East by a factor of 90. The Gutenberg press increased the spread and reproducibility of the written or printed word and ideas. Unlike the today’s communications technologies however, the Gutenberg press decreased the anonymity of authors. Between the time of the invention of the Gutenberg press and the advancement of today’s communication technologies, another revolution took place. The sexual revolution of the 1960’s changed the sexual morals of Western societies. “Relationships” and “partners” became euphemism for what was once referred to as “shacking up” and “gay sex”. An upside of this revolution is that the female half of society is allowed to make their own way in the world, have careers, and raise children without the necessity of having a relationship with a man. While the sexual revolution was intended to liberate adults, this liberated sexuality is communicated to those not sufficiently mature to make appropriate decisions. Sexting is a convergence of the modern communications and sexual revolutions and has affected all segments of society, including teens and supposedly responsible lawmakers. Texting is far less damaging than its thousand-word counterpart, but it too has its disastrous results. Both proposed and enacted legislation is intended to counter the effects of these two media. The virtually unlimited scope of distribution and relative ease of reproducibility coupled with the, anonymity or in some cases false sense therein, takes the ethical and moral repercussions of the distribution of the results of these modern day Gutenberg presses to new heights. And too, sexting and texting have raised their ugly heads in the workplace. Inappropriate use of these media can lead to accusations of privacy violations and sexual harassment. Although these have results similar to those found in the private sector, a more formidable issue lies with corporate financial implications. The news of events occurring within the workplace, a fire, injury, death, even organizational changes or financial disclosures are often communicated before the corporate Chief Executive Officer (CEO) can issue a press release. Recently, an earthquake occurred at the San Onofre Nuclear Generating Station (SONGS) in California. Within seven minutes of the event, the President of the United States called the control room of the nuclear plant to get a report on the safety of the facility. One of the challenges facing corporate communications is the speed, scope of distribution, anonymity of sources, and reproducibility of information, at which news travels and the escalated need for damage control before damage does indeed occur. If corporations expect to provide for their fiscal security they will need to adapt to evolving communications technologies. The primary preemptive strategy is to limit the distribution of information. Communications awareness programs make employees aware of the implications of divulging information to the news media, whether intentional or not. The corporate catch-phrase to be used by employees approached by the news media is, “Our Corporate Communications can answer that question.” Another strategy is that corporations hire consulting agencies which monitor the blogosphere and provide information on the corporations own blog site. Rumors are quickly and succinctly challenged and dispelled with accurate and credible information.

The use of nuclear energy to produce electric power is found in approximately 13% of the World’s countries. Some of the biggest producers of electric power in this manner are the United States of America, Japan, China, France, United Kingdom and Russia. Countries that rely on a smaller percentage of their electric needs include Sweden, and South Korea. At this time, nuclear power plants reactors are under construction in Brazil, South Korea. There are over 440 Operating Nuclear Power Plants worldwide. Most countries rely on light water nuclear reactors, which are inherently safe, with the gas-cooled, graphite moderator reactor being the safest. Canada, however, relies on heavy water nuclear reactors, which when compared to light-water reactors, are far more dangerous to run, and therefore provide additional risk relative to cyber-security. Similarly, the Russian Chernobyl reactor design, a high-power channel reactor is a combination pressurized water-cooled reactor with individual fuel channels and using graphite as its moderator, whose design has core characteristics that make it prone to power surges. The disaster at Chernobyl depicts very well the threat of this reactor design and the potential threat of the peaceful use of the atom. In anticipation of issues, which are naturally going to occur, the United Nations, in 1957, established the International Atomic Energy Agency (IAEA) whose intent is to provide a word-wide collaborative effort between States regarding the use of nuclear energy for peaceful means or “Atoms for Peace.” The programs of the IAEA encourage the development and sharing of information for the peaceful applications of nuclear technology, provide international safeguards against misuse of nuclear technology and nuclear materials, and promote nuclear safety. The mission of the IAEA includes development of nuclear security standards and their implementation. In this regard, nuclear security involves the prevention, detection, and response to, criminal or intentional, unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities, or associated activities, and other intentional acts that could directly or indirectly produce harmful consequences to persons, property, society or to the environment.

The cyber threat to the infrastructure of the United States of America is well known and understood. This threat is against all forms of infrastructure including basic utilities that including communications systems, power and water distribution and production capabilities. Most citizens don’t appreciate the infrastructure behind talking on their new cell phone or in switching on the electric lights in the morning. Electric generating plants convert thermal energy from a boiler (using coal, oil or gas), or a nuclear reactor (using uranium), into mechanical energy which in turn, is converted into the electrical energy we all use in our homes and businesses. The process is extremely complex and requires a substantial amount of automation. Most of this automation comes in the form of digital controls and although this automation significantly increases both the reliability and capacity of the nuclear powered electric generating station, digital controls offer a significant threat to the safe operation of the facility. The need for cyber-security for the nuclear power plant stems from Federal regulations that require the physical protection of such requirements. Although these regulations have been in place for decades, the emergence of cyber-security regulations are only recent. This introduction of new regulations, especially after the emergence of the newer digital technologies has placed a significant resources burden on the nuclear power plant. Initial systems were not designed for required security measures, i.e., password protection and automatic auditing of systems. In addition, the additional regulations are costly to implement. Of course, the electric utility only passes on these costs to the consumer.

The Heartbleed bug is in the news. The bug, found in a software library used in servers, operating systems and email / instant messaging systems. OpenSSL or open-source secure-socket layer provide cryptographic protocols designed to provide secure communications over the internet. SSL uses the X.509 or public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) security. The core library implements basic cryptographic functions and provides various utility functions. The vulnerability was initiated when the maintainer of Debian (open-source product for operating systems) issued a patch to prevent the Valgrind analysis tool from initiating error messages. Apparently, the patch was not adequately tested. The patch broke the random number generator. This occurred with the Debian release of September 2006, version 0.9.8c-1. Some sources contend the bug occurred in 2011 and 2012.The result is that any key generated with the broken number generator, along with any encrypted data, was compromised. These problems were recently corrected. However, any data transmitted in the mean time, including any user names and passwords are compromised. The good news here is that the bug was not intentional and the discovery is through peer review and not through some form of hacker, although some sources contradict this latter position. Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. On April 12, 2014, two independent researchers were able to steal private keys using this attack from an experimental server. Also, some sources indicate the US National Security Agency also discovered the bug but kept this news to itself in order to exploit it. http://www.bbc.com/news/technology-26935905 http://en.wikipedia.org/wiki/OpenSSL http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/X.509 http://en.wikipedia.org/wiki/Heartbleed

It never amazes me the newest scams on the internet. Apparently, the purveyors of Napster aren’t satisfied with their scamming of the music and video industry, they have new targets. The US Federal Trade Commission (FTC) is investigating the operators of JERK.COM. The operators are scraping data from Facebook, including user names and pictures, and posting the information on the Jerk.com website, along with the moniker JERK or NOT A JERK. Those with the Jerk moniker can pay $30.00 to have the classification revised. Jerk.com has collected more than 73 million names of Facebook subscribers. What is particularly disturbing to the FTC is that some subscribers didn’t give permission and still found the picture on Jerk.com with the moniker “Jerk” attached. When they paid the $30 to have it removed, the moniker remained. Can’t the Jerk.com operators find a more moral endeavor and not resort to underhandedness? Jerk.com took advantage of Facebook’s corporate apps program that allows some gleaning of information. The FTC claims that Jerk.com site abused the system and processes when they collected posted information intended to be private and includes some intimate images, such as a mother breast feeding her baby. Of course the Jerk.com attorney claims the FC is barking up the wrong tree. All this just goes to show that people will make money from any means that is possible.

The consequences of a cyber-attack on a commercial nuclear power plant are very real. Examples of what can happen are visible with the disasters at the US’s Three Mile Island, Russia’s Chernobyl disaster, and Japan’s Fukushima Daiichi nuclear plant. Although none of the disasters was the result of a cyber-attack, they all provide an example of the potential results of such an attack. Although no known successful cyber-attacks have been successful, two examples of unintentional but similar occurrences highlight the potential for such an attack. Exporting the HMI (Human-Machine Interface) screen is a form of spoofing that allows the hacker to access the input/output device that provides the control panel for the computer system. Plant engineers working at the Browns Ferry Nuclear Plant in Athens, Alabama, intentionally accomplished this form of spoofing, although not intending to hack the system. The exported HMI screen allowed the Reactor Recirculation pump vendor technician to control the reactor recirculation pumps through control of the variable frequency drive (VFD) that controls the pumps speed. Ultimately, the technician gained control of reactor power, something only a United States Nuclear Regulatory Control (NRC) licensed individual is authorized to do. Data storming is a term similar to denial of service attacks, but instead of originating externally to the computer system, it is derived from within the system. Many digital control systems function using a variety of operating systems and, therefore, communicate differently. In such systems, a translator converts all such communications into one that is common to the primary computer. Again, the Browns Ferry Nuclear Plant pumps suffered such a data storm causing them to trip and then causing the reactor to trip. However, the engineers realized that a data storm could have a more adverse effect on the nuclear plant, for example, by causing the pumps to operate in such a way as to exceed reactor thermal limits, causing a meltdown. In addition to the inadvertent cyber configuration control issues occurring at Browns Ferry Nuclear Plant, at least one “worm” infection has occurred at a US nuclear plant. In January 2003, The Davis-Besse nuclear plant was infected by this worm, which caused increased data traffic in the site’s network, resulting in the plant’s Safety Parameter Display System (SPDS) and plant process computer being unavailable for several hours. The investigation determined that this was a failure by a contractor to clear his computer of malware and was not a malicious cyber-attack. In addition, plant personnel were not aware of a patch that could have protected the network.

Commercial Nuclear Power Plant Cyber Security Policy The birth of the current security posture for commercial nuclear power plants is linked to the security imposed on the Manhattan Project, which ultimately resulted in the creation of the atomic bomb. Following World War II, the United States Congress passed the McMahon Act, which determined how the US government would control and manage nuclear technology. The legislation also created the Atomic Energy Commission (AEC). Congress amended the McMahon Act as the Atomic Energy Act of 1954, and included provisions for the security of nuclear material. The US Executive Branch promulgated the Act into Title 10 of the Code of Federal Regulations (CFRs). 10CFR73, Physical Protection of Plants and Materials, prescribes the requirements and maintenance of physical protection systems that have capabilities for the protection of special nuclear material. Further, regulations pertinent to cyber security are located in 10CFR73.54, Protection of Digital Computer and Communications Systems and Networks, which requires that nuclear plant operators provide high assurance that digital computer and communications are adequately protected against cyber-attacks, up to and including the design basis threats. The commercial nuclear industry-lobbying group, Nuclear Energy Institute (NEI) collaborated with the federal regulators, Nuclear Regulatory Commission (USNRC) and developed NEI 08-09, Cyber Security Plan for Nuclear Power Reactors. When implemented, this document serves as a template or prototype for nuclear plant operators to develop a cyber-security plan, which satisfies 10CFR73.54. Nuclear plant operators are required to protect those digital assets subject to cyber-attack that would act to modify, destroy, or compromise the integrity or confidentiality of data and/or software; deny access to systems, services, and/or data, and impact the operation of systems, networks, and associated equipment, as they pertain to: • Nuclear safety-related and important-to-safety functions; • Security functions; • Emergency preparedness functions, including offsite communications; and • Support systems and equipment that, if compromised, would adversely affect safety, security, or emergency preparedness functions. Nuclear plant operators have until December 31, 2015, to implement the requirements of 10CFR73.54. However, due to costs and other implementation coordination issues, some nuclear plant operators are requesting an extension of the deadline by a year or two.

Most legitimate cyber security news publishers, such as Security Magazine (http://www.securitymagazine.com) and Government Security News (http://www.gsnmagazine.com/) can be considered a credible source of information. Other sources of information are found with by computer industry trade groups like the Software Engineering Institute (http://www.sei.cmu.edu/), and the Verizon data breach investigations reports (http://www.verizonenterprise.com/DBIR/2013/). Another excellent source of cyber security news is the SANS Institute (http://www.sans.org/newsletters/). However, the source, most recognized as a source of threat, vulnerabilities, updates and security news is the Mitre Corporation (http://www.mitre.org/). This organization is responsible for maintaining the Common Vulnerability Exposure (CVE) listing, a listing of the vulnerabilities associate with products and services. Actually, there are many others out there, just to numerous to list. These are by far the most credible sources of information. The respective organizations are not promoting a product to the everyday commercial consumer. Also, these organizations are staffed and supported by industry professionals and, as such, are subject to peer scrutiny. They are not likely to publish bad information. Commercial computer security suppliers, like Norton (http://us.norton.com/) and McAfee (http://www.mcafeeoffers.com/) are also good sources of information. I secure my home computer using Norton 360 and periodically (about once per month) I get a pop-up notifying me of the latest news. McAfee antivirus software may do this also. A google search for the term “data breach reports” returns a link to the identity theft vendor Lifelock (http://www.lifelock.com/), although the services provided by this supplier may be satisfactory, the web site does not provide any useful information. Other similar products may also provide dubious information. If I find conflicting information, I consider the information source and any possible motivations behind their respective pronouncements. I prefer those organizations/sources who are not attempting to promote a product.

CYBR 650 Introductory Blog -- Hello, my name is Robert Nilsson. I am a student at Bellevue University’s Cyber Security Master’s degree (MS) program. I am in my final semester and am taking two courses: CYBR 650, Current Trends in Cyber Security, and PS 639, Cyberwar and Cyber Deterrence. The CYBR 650 is a capstone course and we are currently engaged in process modeling. Based upon the subjects listed by the Discussion Board (where we post our assignments), it appears that we will be discussing processes and systems analysis, amongst other things. We will also be delving into current trends in cyber security. This blog will focus on the CYBR 650 course and will most likely be updated weekly (depending on the weekly assignment requirements) on my progress and what I’ve learned discovered during this semester. This first week I am challenged with determining a threat analysis process model. Yeah, right! I have a lot of research to complete before I begin to develop my model. What is a threat (I already know that) but how do I create a process and fit it into a flow chart. Interestingly enough, in my research, I came across a power point presentation developed by Microsoft which indicates that a flow chart is the wrong way to do this. Oh, well – I’ve got do what the assignment requires. I don’t believe Microsoft is the only player in the cyber security game anyway. So it’s off to the cyber world, getting creative and having fun learning.