Showing posts with label IT security. Show all posts
Showing posts with label IT security. Show all posts

October 23, 2017

Cybersecurity Vulnerabilities Database

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 

And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!

Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!

Additionally, China's database has thousands of vulnerabilities identified that don't appear in the U.S. version. 

Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 

Why the lag and disparity in reporting between their systems and ours?

China uses a "wider variety of sources and methods" for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources--hence, it's a "trade-off between speed and accuracy."

For reference: 

The Department of Commerce's National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).

And the NCD is built off of a "catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp."

Unfortunately, when it comes to cybersecurity, speed is critical.

If we don't do vastly better, we can be cyber "dead right" before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 19, 2017

Never Ever More Vulnerable

So we have never been more technology advanced. And at the same time, we have never been more vulnerable

As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.

There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 

Energy
Transportation
Agriculture
Banking
Commerce
Health
Defense
Manufacturing
Telecommunications

If ANYTHING serious happens to cripple our technology base, we are toast!

From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry--we are at the mercy of our technology underpinnings. 

Don't think it cannot happen!

Whether it's Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP--these are just a few of the recent cyber events of 2017!

Technology is both a blessing and a curse--we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!

This is not just a risk that life could become more difficult or inconvenient--it is literally an existential threat, but who wants to think of it that way?

People, property, and our very society is at risk when our cybersecurity is not what it must be.

It's a race of defensive against offensive capability. 

And we can't just play defense, we had better actually win at this! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

April 12, 2016

Turn, Press, Pull -- Gonna Get Ya

So as I go around town, I see more and more of these industrial-type control panels. 

The problem is that they are stupidly in the open and unprotected or otherwise easily defeated.  

While probably not a serious threat of any sort, this one apparently is a unit to control some fans in an underground garage open to the public. 

You see the knobs you can just turn.

And one with a yellow warning sticker above it.

As if that will keep someone with bad intentions from messing with it. 

You also see the red and yellow lights...hey. let's see if we can make those flash on, off, on.

Panel 13, nicely numbered for us--let's look for 1 to 12 and maybe 14+.

It just continues to amaze me that in the age of 9/11 and all the terrorism (and crime) out there that many people still seem so lackadaisical when it comes to basic security. 

Anyone in the habit of leaving doors and gates open, windows unlocked, grounds unmonitored, computers and smart phones without password protection, data unencrypted and not backed up, even borders relatively wide open, and so on. 

Of course, we love our freedom and conveniences.

We want to forget bad experiences.

Could we be too trusting at times?

Maybe we don't even believe anymore that the threats out there are impactful or real.

But for our adversaries it could just be as simple as finding the right open "opportunity" and that's our bad. ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

June 10, 2014

I Like That Technology

Christopher Mims in the Wall Street Journal makes the case for letting employees go rogue with IT purchases.

It's cheaper, it's faster, "every employee is a technologist," and those organizations "concerned about the security issues of shadow IT are missing the point; the bigger risk is not embracing it in the first place."


How very bold or stupid? 


Let everyone buy whatever they want when they want--behavior akin to little children running wild in a candy store. 


So I guess that means...


  • Enterprise architecture planning...not important.
  • Sound IT governance...hogwash.
  • A good business case...na, money's no object.
  • Enterprise solutions...what for? 
  • Technical standards...a joke.
  • Interoperability...who cares? 
  • Security...ah, it just happens!

Well, Mims just got rids of decades of IT best practices, because he puts all his faith in the cloud.

It's not that there isn't a special place for cloud computing, BYOD, and end-user innovation, it's just that creating enterprise IT chaos and security cockiness will most-assuredly backfire. 


From my experience, a hybrid governance model works best--where the CIO provides for the IT infrastructure, enterprise solutions, and architecture and governance, while the business units identify their specific requirements on the front line and ensure these are met timely and flexibly.


The CIO can ensure a balance between disciplined IT decision-making with agility on day-to-day needs. 


Yes, the heavens will not fall down when the business units and IT work together collaboratively. 


While it may be chic to do what you want when you want with IT, there will come a time, when people like Mims will be crying for the CIO to come save them from their freewheeling, silly little indiscretions. 


(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

May 6, 2013

Learning IT Security By Consequences


This is a brilliant little video on IT Security. 

What I like about it is that it doesn't just tell you what not to do to stay safe, but rather it shows you the consequences of not doing the right things. 

Whether you are letting someone into your office, allowing them borrow your badge, leaving your computer unsecured, posting your passwords, and more--this short animated video shows you how these vulnerabilities will be exploited.

It is also effective how they show "Larry" doing these security no-no's with signs everywhere saying don't do this. 

Finally, the video does a nice job summing up key points at the end to reinforce what you learned. 

I think that while this is simpler than many longer and more detailed security videos that I have seen, in a way it is more successful delivering the message in a practical, down-to-earth approach that anyone can quickly learn core basic practices from. 

Moreover, this video could be expanded to teach additional useful IT security tips, such as password strengthening, social engineering, and much more. 

I believe that even Larry, the unsuspecting office guy, can learn his lesson here. ;-)

(Note: This is not an endorsement of any product or service.)
Share/Save/Bookmark

October 12, 2012

Cloud $ Confusion

It seems like never before has a technology platform brought so much confusion as the Cloud.


No, I am not talking about the definition of cloud (which dogged many for quite some time), but the cost-savings or the elusiveness of them related to cloud computing.

On one hand, we have the Federal Cloud Computing Strategy, which estimated that 25% of the Federal IT Budget of $80 billion could move to the cloud and NextGov (Sept 2012) reported that the Federal CIO told a senate panel in May 2011 that with Cloud, the government would save a minimum of $5 billion annually.

Next we have bombastic estimates of cost savings from the likes of the MeriTalk Cloud Computing Exchange that estimates about $5.5 billion in savings so far annually (7% of the Federal IT budget) and that this could grow to $12 billion (or 15% of the IT budget) within 3 years, as quoted in an article in Forbes (April 2012) or as much as $16.6 billion annually as quoted in the NextGov article--more than triple the estimated savings that even OMB put out.

On the other hand, we have a raft of recent articles questioning the ability to get to these savings, federal managers and the private sector's belief in them, and even the ability to accurately calculate and report on them.

- Federal Computer Week (1 Feb 2012)--"Federal managers doubt cloud computing's cost-savings claims" and that "most respondents were also not sold on the promises of cloud computing as a long-term money saver."

  - Federal Times (8 October 2012)--"Is the cloud overhyped? predicted savings hard to verify" and a table included show projected cloud-saving goals of only about $16 million per year across 9 Federal agencies.

  - CIO Magazine (15 March 2012)--"Despite Predictions to the Contrary, Exchange Holds Off Gmail in D.C." cites how with a pilot of 300 users, they found Gmail didn't even pass the "as good or better" test.

- ComputerWorld (7 September 2012)--"GM to hire 10,000 IT pros as it 'insources' work" so majority of work is done by GM employees and enables the business.

Aside from the cost-savings and mission satisfaction with cloud services, there is still the issue of security, where according to the article in Forbes from this year, still "A majority of IT managers, 85%, say they are worried about the security implications of moving to their operations to the cloud," with most applications being moved being things like collaboration and conferencing tools, email, and administrative applications--this is not primarily the high value mission-driven systems of the organization.

Evidently, there continues to be a huge disconnect being the hype and the reality of cloud computing.


One thing is for sure--it's time to stop making up cost-saving numbers to score points inside one's agency or outside.

One way to promote more accurate reporting is to require documentation substantiating the cost-savings by showing the before and after costs, and oh yeah including the migration costs too and all the planning that goes into it. 

Another more drastic way is to take the claimed savings back to the Treasury and the taxpayer.

Only with accurate reporting and transparency can we make good business decisions about what the real cost-benefits are of moving to the cloud and therefore, what actually should be moved there. 

While there is an intuitiveness that we will reduce costs and achieve efficiencies by using shared services, leveraging service providers with core IT expertise, and by paying for only what we use, we still need to know the accurate numbers and risks to gauge the true net benefits of cloud. 

It's either know what you are actually getting or just go with what sounds good and try to pull out a cookie--how would you proceed? 

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

June 5, 2012

SDLC On Target

I found this great white paper by PM Solutions (2003) called "Selecting a Software Development Life Cycle (SDLC) Methodology."

The paper describes and nicely diagrams out the various SDLC frameworks:

- Waterfall
- Incremental
- Iterative
- Spiral
- RAD
- Agile


It also provides a chart of the advantages and disadvantages of each framework. 

Finally, there is a simple decision cube (D3) based on time horizon, budget, and functionality for selecting an SDLC framework. 

This is a very useful and practical analysis for implementing SDLC, and it aligns closely with the guidance from the National Institute of Science and Technology (NIST) Special Publication (SP) 800-64, "Security Considerations in the Systems Development Life Cycle" Appendix E that states:

"The expected size and complexity of the system, the development schedule, and the anticipated length of a system's life may affect the choice of which SDLC model to use."

While NIST focuses on the time horizon and complexity versus the PM Solutions Decision Cube that uses time horizon, budget, and functionality, the notion of tailoring SDLC to the project is both consistent and valuable. 

Just one more resource that I found particularly good is the Department of Labor IT Project Management guidance (2002)--it is a best practice from the Federal CIO website.

I like how it integrates SDLC, IT Project Management, IT Capital Planning and Investment Control (CPIC), and security and privacy into a cohesive guide. 

It also establishes project "thresholds" to differentiate larger or more significant projects with greater impact from others and calls these out for "more intensive review."

Even though these these resources are around a decade old, to me they are classic (in a good sense) and remain relevant and useful to developing systems that are on target.

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

November 27, 2011

Running IT as an Ecosystem

The New York Times (27 November 2011) has an interesting article under "bright ideas" called Turn on the Server. It's Cold Outside.
The idea in the age of cloud and distributed computing, where physical location of infrastructure is besides the point, is to place (racks of) servers in people's homes to warm them from the cold.
The idea is really pretty cool and quite intuitive: Rather than use expensive HVAC systems to cool the environment where servers heat up and are housed, instead we can use the heat-generating servers to warm cold houses and save money and resources on buying and running furnaces to heat them.
While some may criticize this idea on security implications--since the servers need to be secured--I think you can easily counter that such a strategy under the right security conditions (some of which are identified in the article--encrypting the data, alarming the racks, and so on) could actually add a level of security by distributing your infrastructure thereby making it less prone to physical disruption by natural disaster or physical attack.
In fact, the whole movement towards consolidation of data centers, should be reevaluated based on such security implications. Would you rather have a primary and backup data center that can be taken out by a targeted missile or other attack for example, or more distributed data centers that can more easily recover. In fact, the move to cloud computing with data housed sort of everywhere and anywhere globally offers the possibility of just such protection and is in a sense the polar opposite of data center consolidation--two opposing tracks, currently being pursued simultaneously.
One major drawback to the idea of distributing servers and using them to heat homes--while offering cost-saings in term of HVAC, it would be very expensive in terms of maintaining those servers at all the homes they reside in.
In general, while it's not practical to house government data servers in people's homes, we can learn to run our data centers more environmentally friendly way. For example, the article mentions that Europe is using centralized "district heating" whereby more centralized data center heat is distributed by insulated pipes to neighboring homes and businesses, rather than actually locating the servers in the homes.
Of course, if you can't heat your homes with data servers, there is another option that gets you away from having to cool down all those hot servers, and that is to locate them in places with cooler year-round temperatures and using the areas natural air temperature for climate control. So if you can't bring the servers to heat the homes, you can at least house them in cold climates to be cooled naturally. Either way, there is the potential to increase our green footprint and cost-savings.
Running information technology operations with a greater view toward environmental impact and seeing IT in terms of the larger ecosystem that it operates in, necessitates a careful balancing of the mission needs for IT, security, manageability, and recovery as well as potential benefits for greater energy independence, environmental sustainability, and cost savings, and is the type of innovative bigger picture thinking that we can benefit from to break the cycle of inertia and inefficiency that too often confronts us.
(Source Photo: here)

Share/Save/Bookmark

November 3, 2011

Cloud, Not A Slam Dunk


Interesting article in Nextgov about the deep skepticism of cloud computing by the Corporate IT Pros.

The vast majority of IT practitioners questioned did not "believe so-called infrastructure-as-a-service providers protect e-mail, documents and other business data.”

So while many business people think that Cloud Computing is more or less safe, the IT community is not so sure.

Of 1,018 professional surveyed (of which about 60% were from IT)--only 1/3 of the IT professionals thought the cloud was secure versus 50% of the business compliance supervisors.

Cloud is not a slam dunk and we need to evaluate every implementation very carefully.

(Source Photo: here)

Share/Save/Bookmark

October 20, 2011

Be Careful What You Point That At

By now many of you may or may not have pointed your smartphones at a QR ("Quick Response") code to get more information on products, places, events, and so forth.

A QR code is a barcode that that generally contains alphanumeric information and takes you to a website when you read the QR code with your smartphone (i.e. by taking a picture of it with a QR reader app).

QR codes remind me of the barcodes in the store at the checkout line, but QR codes look more like a squared-off roschach test compared to the barcodes on items you purchase which are rectangular straight lines from top to bottom.

By reading the QR code, you don't have to remember or type any information into your smartphone--your just zipped right off to wherever the QR points you (usually after you confirm on the screen that you are okay with going to the URL).

But QR codes like with any information technology, can be used for good or evil -- for some reason though people seemed to have been unsuspecting of the sort of innocuous looking QRs.

Kaspersky Lab has issued a warning on QR codes after finding consumers in Russia scammed when they thought they were downloading an Android app and where instead infected with malware that caused them to send SMS messages to a premium number that charged for each message sent.

So while QR codes can take a reader to a harmless website for information, like other computer code, they can contain instructions that cause you to send email, SMS messages, download applications, etc.

So unless you know what you are QR reading (i.e. you have a high-degree of confidence in whoever placed the advertisement with the QR code)--think twice before scanning that barcode, because you may get a surprise package in your smartphone that you weren't expecting causing infection of your device, loss of privacy to the information stored on it, or costing you money for things you never wanted or intended to spend on.

Scanning a QR code while as simple taking a picture of a sunset--may not have as beautiful consequences.

(Source Photo: here)

Share/Save/Bookmark

October 14, 2011

EMP Cybergeddon

Electromagnetic Pulses (EMPs) are the weapons of choice against electronics of all sorts, including cyber.

The Economist (15 October 2011) in an article called Frying Tonight describes how "warfare is changing as weapons that destroy electronics, not people, are deployed on the field of battle."

Here a brief summary:

During the Cold War, the notion was to explode an atom bomb high in the atmosphere (i.e. a High-Altitude EMP or HEMP) "to burn out an enemies electrical grid, telephone network, and possibly even the wiring of his motor vehicles."

Today, that principle is being applied in smaller weapons using microwaves---from powerful batteries or reactive chemicals that generate high-energy radio frequencies.

By zapping electronics, EMPs can take down enemy missiles, destroy command, control, and communications capability, and stop in their tracks everything from enemy tanks to planes and speed boats.

EMP weapons are already being deployed:

- Fighter planes are being developed with EMP capabilities using the active electronically scanned array (AESA) as defensive weapons against air-to-air and surface-to-air missiles, while other planes (like the "Growler") are being outfitted with offensive EMP capabilities.

- Ships too are being armed with EMP guns to defend against high-speed boat "swarms" or to defend against pirates.

- Land vehicles will be armed with EMP cannons such as the Radio-Frequency Vehicle Stopper that can stall enemy vehicles' engines or the Active Denial System used as a heat-ray to disperse crowds.

At the same time, defenses against EMPs are being deployed, such as Faradays cages--which are enclosures of conducting material often in a mesh pattern that protects electrical equipment from getting fried.

What is important to note though is that EMPs are not just battlefield weapons--they can take out our everyday electrical and cyber systems.

A Congressional Research Service (CRS) Report to Congress (21 July 2008) called High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments states "Several nations, including sponsors of terrorism, may currently have a capability to use EMP as a weapon for cyber warfare or cyber terrorism to disrupt communications and other parts of the U.S. critical infrastructure."

The EMP Commission reported that EMP "creates the possibility of long-term, catastrophic consequences for national security."

One of the major concerns is the "cascading effects" that a loss of electrical infrastructure would cause in terms of people being unable to obtain basic life necessities and thereby resulting in that "many people may ultimately die."

The report finds EMP weapons to be an "attractive asymmetric option" for our adversaries, and that analysts find that "it could possibly take years for the United States to recover fully from the resulting widespread damage."

Therefore, it is critical that we increase our cyber security capabilities not only in terms of fighting conventional malware attacks from within the cyber realm, but we must be thinking in ernest about energy weapons directed at us from without.

We must continue to harden our defenses, invest in new technologies and countermeasures to thwart the enemy, develop punishing offensive capabilities, as well as prepare for the possibility of a strike against our homeland.

Although called "human-safe" (and aside from the traditional weapons of mass destruction), EMPs may be actually one of the most devastating weapons of all to a society dependent of technology.

(Source Photo: here)

Share/Save/Bookmark

October 13, 2011

Increase Security On Your Google Account

After reading the article Hacked! in The Atlantic (November 2011), I looked into Google's new security feature called 2-Step Verification (a.k.a. Two Factor Authentication).

This new extra layer of security--adding "something you have" to "something you know"--to your sign in credentials helps to better protect you and your information in Google (i.e. in the Google cloud), including your emails, documents, and applications.

While a little extra work to login to Google--you have to type in a verification code that Google sends or calls to your phone (this is the something you have), it provides an extra layer of defense against hackers, criminals, and identity thieves.

To protect your Smartphone, Google provides "Application-specific passwords" that you generate from the 2-Step Verification screen and then you enter those into the specific iPhone, Droid, or Blackberry device.

You can sign up for 2-Step Verification from your Google Account Settings page and help protect yourself, your information, and your privacy.

In the future, I hope that Google (and other cloud vendors) will improve on this and use biometrics, to add "something you are," to the authentication process and make this even sleeker and more secure yet.

Stay safe out there! ;-)

Share/Save/Bookmark

September 9, 2011

Visualizing IT Security


I thought this infographic on the "8 Levels of IT Security" was worth sharing.

While I don't see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management - With limited resources, we've got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy - The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting - This is the eyes, ears, and mouth of the organization in terms of watching over it's security posture.

4) Virtual Perimeter - This provides for the remote authentication of users into the organization's IT domain.

5) Environment and Physical - This addresses the physical protection of IT assets.

6) Platform Security - This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance - This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management - This prevents unauthorized users from getting to information they are not supposed to.

Overall, this IT security infographic is interesting to me, because it's an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the "defense-in-depth" visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do's and don't, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Share/Save/Bookmark

August 20, 2011

Cloud Second, Security First

Leadership is not about moving forward despite any and all costs, but about addressing issues head on.

Cloud computing holds tremendous promise for efficiency and cost-savings at a time when these issues are front and center of a national debate on our deficit of $14 trillion and growing.

Yet some prominent IT leaders have sought to downplay security concerns calling them "amplified...to preserve the status quo." (ComputerWorld, 8 August 2011)

Interestingly, this statement appeared in the press the same week that McAfee reported Operation Shady RAT--"the hacking of more than 70 corporations and government organizations," 49 of which were in the U.S., and included a dozen defense firms. (Washington Post, 2 August 2011)
The cyber spying took place over a period of 5 years and "led to a massive loss of information."(Fox News, 4 August 2011)

Moreover, this cyber security tragedy stands not alone, but atop a long list that recently includes prominent organizations in the IT community, such as Google that last year had it's networks broken into and valuable source code stolen, and EMC's RSA division this year that had their SecurID computer tokens compromised.

Perhaps, we should pay greater heed to our leading cyber security expert who just this last March stated: "our adversaries in cyberspace are highly capable. Our defenses--across dot-mil and the defense industrial base (DIB) are not." (NSA Director and head of Cyber Command General Keith Alexander).

We need to press forward with cloud computing, but be ever careful about protecting our critical infrastructure along the way.

One of the great things about our nation is our ability to share viewpoints, discuss and debate them, and use all information to improve decision-making along the way. We should never close our eyes to the the threats on the ground.

(Source Photo: here)

Share/Save/Bookmark

July 30, 2011

Sensors, Sensors Everywhere

Three_surveillance_cameras

Sensors will soon be everywhere--waiting, watching, and working to capture information about you and the environment we inhabit.

Every sensor is an opportunity to collect data and use that data for making better decisions.

Of course, we see sensors deployed first and foremost from our military overseas, in Iraq and Afghanistan, which uses drones to spy on and strike on our adversaries. The drones are really flying platforms of sensors and in some cases with weapons at ready. According to the New York Times (20 June 2011) "From blimps to bugs, an explosion in aerial drones is transforming the way America fights and thinks about its wars..the pentagon now has some 7,000 aerial drones...[and] has asked for nearly $5 billion for drones for next year." These drones are providing "a Tsunami of data" from intelligence, surveillance, and reconnaissance. The change to drones is so significant in our military that the Times reports that "already the Air Force is training more remote pilots, 350 this year alone, than fighter and bomber pilots combined."

Similarly, the Wall Street Journal (5 July 2011) reports that another type of sensor--surveillance cameras--are being deployed big time in China with a new surveillance network in Chongqing of 500,000 cameras (Beijing already has 280,000 cameras in its system) "that officials says will prevent crime but that human-rights advocates warn could target political dissent." While this project is significantly larger and more aggressive than other cities have deployed, China is certainly not alone in deploying surveillance cameras in their cities--Chicago has 10,000, New York has 8,000, and London has over 10,000. According to the WSJ, the overall market last year for surveillance-equiptments sales, not including networking gear or software totaled $1.7 billion! So smile, you are on camera--and it's candid, indeed.

A third article ran in Government Computer News (July 2011) on a more innocuous type of sensors to be used--this being the mass deployment of mobile sensors for the National Weather Service (NWS) on vehicle fleets such as Greyhound buses etc. Beginning in October, "2,000 commercial vehicles will be equipped with sensors...and will be sending data to NWS in near real time. We will be rolling out coverage on the national level." The mobile sensors will be taking 100,000 observations daily--every 10 seconds, about every 300 meters--measuring temperature, humidity, dew, precipitation, and solar information." In the future, we are looking at the potential of a "a sensing probe in every car"--for collecting information on hazardous roads, traffic patterns, and preventing accidents. Other applications for mobile sensors could be for "monitoring chemical and biological agents," nuclear and radiological ones, or CO2 and Ozone and more.

While sensors can collect data that can be used to analyze situations early and often to help people; certainly, they can also be misused to spy on one's citizens and suppress freedom. It can be a slippery slope. Perhaps that why Wired Magazine recently ask (July 2011) who's "Watching the Watchers" making the distinction between:

1) Surveillance--the monitoring of events by those above, the authorities--with CCTV etc. and monitoring events from control rooms, potentially from anywhere around the world.
2) Sousveillance--the monitoring of events by those below, the citizens--with everyday smartphones, cameras, and videocams and posting the digital images and sound bytes to YouTube, Facebook, Twitter, and so on for the world to see.

With IPV6 providing enough Internet address for attaching sensors to every atom on the surface of the earth and sensors becoming smaller and more imperceptible, we can soon monitor and report on everything, everywhere all the time. Some of the biggest challenges remain ensuring the information monitored is kept secure, private, and used legally and ethically and sifting through all the data to identify the truly meaningful information from what's just noise.

(Source Photo: here)

Share/Save/Bookmark

July 23, 2011

Getting To Swift Cyber Justice

Destroyed_computer

The first Department of Defense Strategy for Operating in Cyberspace is out (July 2011).

Of course, like the plans that came before (e.g. Cyberspace Policy Review), it emphasizes the imperative for cyberspace protection. Some highlights:

  • "DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial or service of access or service..., and the destructive action--including corruption, manipulation, or direct activity that threatens to destroy or degrade network or connected systems."
  • "Cyber threats to U.S. national security go well beyond military targets and affects all aspects of society. Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks and systems that control civilian infrastructure."
  • "Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies."

The strategies for cyberspace protection in the DoD plan include treating cyberspace as an operational domain; innovation; partnership; and so on. But we need to leverage our strengths even more.

As the Wall Street Journal pointed out on 15 July 2011: "The plan as described fails to engage on the hard issues, such as offense and attribution." If we can't even identify who's attacking us, and fight back with precision, then we're flailing.

Some may express the concern that we would have all-out war by attacking those who attack us. However, what is the alternative besides confronting our aggressors?

The concept of operations is straightforward: Any computer device that is used to attack us, would immediately be blocked and countered with equivalent or greater force and taken out of play.

This would mean that we are able to get past cyber-bot armies to the root computers that are initiating and controlling them, and dealing with them decisively. This would hold regardless of the source of the attack--individual or nation-state.

The DoD plan acknowledges our own unpreparedness: "Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity."

As in the Cold War, there must be no doubt with Cyber Warfare (as with nuclear) of our ability to inflict devastating second-strike or preemptive attacks with deadly precision.

Until we have unambiguous hunter-killer capability to identify and locate perpetrators of cyber attacks against us and the ability to impose swift justice, we are at the mercy of our aggressors.

We can only have peace in cyberspace when we have the strength to stand up and defend it.

Now we must move with cyber speed to build this capability and stand ready to execute our defenses.

Admiral Mike Mullen was quoted this week (18 July 2011) in Federal Times as saying: "The single biggest existential threat that's out there is cyber...It's a space that has no boundaries. It has no rules."

We must become even better--much better!

(Source Photo: here)

Share/Save/Bookmark

June 19, 2011

Crashing The Internet--Are We Prepared?


Almost week after week, I read and hear about the dangers of cyber attacks and whether "the big one" is coming.

The big one is what some experts have called a pending "digital Pearl Harbor."

Just last week, the Federal Times (13 June 2011) wrote that the "U.S. government computer networks are attacked about 1.8 billion times per month."


The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require "stronger and more proactive leadership."

Charles Dodd, a cyber security consultant in D.C. warns that "You've bought a stick to a gunfight, and you're arrogant about your capabilities."
So the question is--are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?

Certainly, with so much critical infrastructure--from government, military, and private industry--dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on "Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime" as follows:

--"There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives."

It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has "demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet."

And it took only 20 minutes to trigger the chain reaction in which "manipulated routers overloaded all other Internet routers worldwide...mak[ing] it impossible for Internet address to be found."
Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts...that does not seem like an inordinate amount to press forward with for a coordinated attack.

So the Internet in theory can be crashed!

Just think for a moment about how that would impact you and what you do every day...would anything be the same? Could we even function normally anymore?

As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.

In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified.
This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.

If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won't be sorry later.
(All opinions are my own)

(Source Photo: Heritage and History.com)

Share/Save/Bookmark

January 22, 2011

When My Friend Got Hacked

True story.

So an old friend of mine had his account hacked on Facebook.

And the hacker is sending chat messages to my friend’s Facebook contacts—like me—pretending to be him—with his picture and name and all his online information.

He says that he is stuck in London, just got mugged—at gunpoint—losing his money and phone and needs my help.

At first, I’m thinking oh crap; my friend is in trouble and needs me. Then, I’m like wait a second, he’s pulling my leg. So I ask “are you joking?”

The hacker—pretending to be my friend—continues how it was such a terrible experience, but thank G-d they are still alive.

I’m on the other end of this chat—and questioning now if this person is really who they say they are—despite the REAL picture and profile.

I ask who are you with?

The hacker replies with the name of my friend’s wife. Her real name!

And the hacker continues with the mugging story and how they are leaving in a few hours for their return flight to the States, but need help.

Ok, I am happy to help my friends, but I want to know this is really my friend. Behind the scenes, I am contacting other mutual friends, family and so on to verify this story and resolve this.

On the chat, I ask—can you tell me something that only the two of us would know?

The hacker starts flipping out and gives me "?!?!?!...."

I repeat my question and ask if the hacker understands.

The hacker responds that they do.

And then ignoring my questioning, proceeds with the storyline asking me to wire money and that it will be okay, because they will need identification to retrieve the wire.

Now I ignore the hacker’s request and go back to my question about who this person on the other end of the chat really is?

No response.

"U there?"

Hacker is offline...for now.


Share/Save/Bookmark