Recommended Reading: Cybersecurity — Crime, Warfare, or Scaremongering?
Cyberattacks, with nefarious conspiracies and faceless enemies, have long been the fodder of Hollywood scriptwriters — think back to WarGames (1983) and Tron (1982), both classics. But a flood of recent headlines about cyberwarfare, and a report by Mandiant, a computer security firm, linking attacks to a Chinese military unit, show there is often a fine line between fact and fiction.
Last week, a deputy social media editor at Thomson Reuters was charged in a federal indictment for allegedly conspiring with members of the hacker group Anonymous to hack into the Los Angeles Times.
Meanwhile, cyberthreats featured prominently in President Obama’s congratulatory call to the new Chinese president, Xi Jinping, and James R. Clapper, Jr. (pictured above), director of National Intelligence, and Keith Alexander, head of the National Security Agency and US Cyber Command (both part of the Defense Department), were on Capitol Hill talking about cyberattacks. Alexander noted that cyberattacks on private companies, particularly banks, are on the rise, and in fact, that same week JPMorgan Chase was hit by a distributed-denial-of-service (DDoS) attack. Since September, a new wave of DDoS attacks have crippled the websites of major financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T, and HSBC.
General Alexander told Congress he is establishing 13 teams of programmers and computer experts who can carry out offensive cyberattacks on foreign nations if the United States is hit with a major attack on its own networks, the first time the Obama administration has publicly admitted to developing such weapons for use in wartime. His testimony came on the same day that Clapper said the prospect of a cyberattack is the number one threat facing the United States. (For an example of how a cyberattack can temporarily cripple a nation, look at what happened to Estonia in 2007, when cyberattacks targeted the websites of banks, media outlets, government ministries, and even the parliament.)
At CFA Institute’s recent Global Investment Risk Symposium, John E. Mroz, president and chief executive of EastWest Institute, presented on “Cybersecurity: Crime Prevention or Warfare?” and warned delegates about the scale of the problem.
Here is some recommended reading, followed by answers (from EastWest Institute) to two important questions: How do I know if my computer is infected by a botnet? And, what practical steps can companies take to improve self-awareness?
What to Make of the Cybersecurity Debate
- Is All the Talk About Cyberwarfare Just Hype? (NPR)
- Cyber Attacks Are America’s Top Security Threat. That’s Better News Than It Sounds. (Popular Science)
- Audio: Why “Cyber Pearl Harbor” Won’t Be Like Pearl Harbor At All . . . (Foreign Policy Research Institute)
- Infographic: Hack-Attack: A Timeline of Cyber-Attacks from China (The Economist)
- The US-China Cyber Standoff (EastWest Institute)
What’s Going on Behind the Scenes of a Cyberattack?
- Most PC Security Problems Come from Unpatched Third-Party Windows Apps (Ars Technica)
- Watch a Chinese Hacker Launch an Invasion in Real Time (Lifehacker)
- National Vulnerability Database Taken Down by Vulnerability-Exploiting Hack (Ars Technica)
- New Microsoft Patch Purges USB Bug That Allowed Complete System Hijack (Ars Technica)
- Anonymous Hacks Westboro Baptist Church Website LIVE (YouTube)
How to stay up to date?
- Former Washington Post staffer Brian Krebs writes about cybercrime and other internet security topics at Krebs on Security. The site recently won an award for “Most Educational Security Blog” at the RSA Security Blogger Meetup (if you scroll through the list nominees and winners, you’ll find additional resources). And if you’re wondering about his bona fides, Krebs was recently the victim of what is known as “SWATing,” apparently a favorite tactic of depraved hackers, who use computers or special phone equipment to make emergency calls that appear to come from their target’s phone number. When a 911 operator answers, they report a life-threatening, sometimes horrific crime in progress. (Ars Technica)
How do I know if my computer is infected by a Botnet?
The answer, courtesy of the Information Technologies Department at EastWest Institute:
In short, you don’t. Botnets are designed to be invisible, and can’t be found on your computer until security experts are well aware of them and have updated their antivirus software to find them. This means that you could be hosting a botnet for weeks, months, or even years without knowing.
The best solution is prevention. Be aware of your surroundings. Don’t use a Wi-Fi access point that you don’t know for sure isn’t provided by the guy sitting in the corner. Don’t click on links or open attachments that you aren’t expecting. Don’t insert thumb drives you found in your computer. In short, be paranoid. Keeping your antivirus software updated is necessary, but it’s only a tiny, tiny part of security.
From the very, very technical side of things, a computer security expert can monitor data traffic sent out by your computer, but botnet creators do their best to make their traffic look like normal traffic. The only way to really find out if you have an infection is to monitor your network for changes in traffic sent. When those changes occur, you then have to analyze that to make sure it wasn’t due to a system or software update. If you still can’t explain that traffic, then you’ll need to monitor it, trace it to where it goes, and involve the real experts (the FBI has a dedicated group for this). Considering the sheer amount of traffic that happens in the background, often there’s just no way for anyone without the resources of the FBI, NSA, or a Fortune 500 company to find out if they’re infected. At least until that particular infection becomes public knowledge and the experts build tools or update antivirus software to find it and notify you. (Source: How Do I Know If My Computer is Being Used for a Botnet-Based DDoS Attack?)
What practical steps can companies take to improve self-awareness?
The answer is courtesy of Ingo Dean, Information Technologies Department, EastWest Institute:
Any organization should take a holistic approach to computer security. Don’t think of your computers as islands, but rather as pieces of an entire ecosystem encompassing computers, networks, services, and most importantly, people.
The weakest link in computer security is always the human being. Human beings designed and built the hardware, designed and built the operating system, designed and built the applications, designed and built the network protocols, and human beings use the computers. Human beings are fallible — nothing is perfect, everything has some flaw that can be exploited.
An organization’s Computer Security program should provide awareness training in understandable bite-size chunks. In the past I’ve sent out “IT QuickTip” messages, held brown-bag Q&A sessions, contracted outside training, contracted web-based training, updated blogs, Intranets, and Wiki’s. The key is that most people are simply far too busy doing the job they’re paid to do to want to spend any time on computer security, so you have to just keep plugging away at what seems to be a hopeless task. The users think security is IT’s job, but IT’s real job is to convince the organization management and users that security is everyone’s job. A little carrot, a little stick, a little humor, all used in moderation.
Computer security awareness includes strong passwords, not reusing passwords, knowing where you can securely enter your password, never sharing your password with others, verifying that links go where they say they go, knowing what’s safe to open, knowing when to ask your local expert, having an expert. That’s just a tiny subset.
Security awareness training should not stop at the computer, for instance, during my last training session I explained how most hotel-room card key systems can be defeated in less than 30 seconds with a tool you can build yourself for less than $25. (See: “Dry Erase Marker Opens All Hotel Room Doors.”)
Perhaps the most important thing is to hire or contract and then support an IT staff that truly understands and cares enough to not only protect your computers and network with the tools of their trade, but also takes the impossible effort to try to educate the population.
In the end, the solution to the fallibility of human-built systems is also another human.
Please note that the content of this site should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute.
Lauren, as a CTO in a knowledge based organization, this is a topic close to my heart. For an organization to thwart 90% of the attacks that are made on it’s knowledge resources is the easier part of this task. What worries me is the 10% of attacks which require more and more resources to prevent.
As organizations grow in scale, their infrastructure however does not keep pace. Often the CFO and the CTO are at loggerheads … why spend that additional million on network equipment/security consultants when that could show up as pure profit?
I doubt whether analysts even stop to consider information security within an organization as a parameter to evaluate the company’s health … even though infosec is an obvious health metric. Can something be done about this?