United States Archives - Defence Intelligence Blog

Cyber Risk No. 3: Direct Loss From Malicious Acts

English: Outside the fence, Menwith Hill Spy Base This photo was taken on the ‘Foil the Base’ demonstration in March 2003. Founded in the 1950s (RAF) Menwith Hill has been operated since 1966 by the United States’ National Security Agency (NSA), and has grown to become the world’s largest intelligence-gathering ground station outside the US. (Photo credit: Wikipedia)

In previous posts, we’ve covered how loss or theft of confidential information and loss of reputation can affect the cyber security of a 21st Century business. Today, we turn our attention to direct loss from malicious acts (i.e. hackers, malware).

So many businesses are open to this risk because they don’t know how to protect their security, leaving them vulnerable to malware threats that can quickly cause advertisers, partners, and customers to abandon ship.

Perhaps scariest of all, is that no business is immune.

Take the recent case of Tor, the encrypted web security browser designed to allow businesses and privacy-concerned users to browse the Internet without fear of reproach. Tor had given so many people peace of mind until a recent malware attack, which many are attributing to the National Security Agency (NSA), toppled user confidence.

Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA, reported TechWeek europe. In one fell swoop, the product became forever in question.

According to Verizon’s 2012 Data Breach Investigations Report, 69% of data breaches in 2012 were attributed to malware infections. 174 million data records were lost in 855 separate incidents. The rate of infection grows each year. McAfee, in a The State of Malware 2013, reported they cataloged 100,000 new malware samples each day.

So what does data theft malware really cost us? Globally, the cost of a data breach averaged $136 per compromised record, up from $130 the previous year (2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec). With even 120 million data records (69% of the total) from 2012, that’s over $16 billion in loss from malware data breaches.

Here are two things to consider as you attempt to bring security to your business.

There are many types of malware that can threaten your system’s security, and they’re constantly evolving. You must invest your cyber security dollars with a company that is constantly aware of the changing landscape. Defence Intelligence’s Nemesis 2.0 uses advanced network behaviour analysis in conjunction with real time intelligence to prevent and detect system compromise on your network.
Attacks are inevitable. Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked. The news is full of stories of large and small companies that are compromised. Don’t be one of them.

Cyber Risk No. 2: Loss of Reputation

facebook (Photo credit: sitmonkeysupreme)

Reputation is a business’s most valuable asset. It is what keeps the customers we have and gives us new opportunities in the marketplace. Any negative event can damage that reputation, putting a business temporarily on the sidelines or even eject them from the game.

Since whistle blower Edward Snowden revealed the NSA had overstepped boundaries in collecting metadata on millions of Americans, companies like Microsoft, Google and Facebook have been questioned about their involvement. According to The Guardian (June 2013), the “world’s largest Internet brands claimed to be part of the information-sharing program since its introduction in 2007.” This includes Skype, YouTube, AOL and Apple. It leaves us to question how this information is being used, whether is it for government surveillance or part of their business model, but the exposure of this secret and suggested misuse of data and betrayal of trust may damage the public opinion of these giants.

These mega companies, however, can easily recover from suspicion and character damage. Their brands are a household name and the luxury of being a giant is that you are hard to topple. But what about smaller companies and their ability to recover from an unintentional data breach? Most companies collect information on their customers for no other purpose than to run their business and develop products and services. What happens when that private information involuntarily becomes public as a result of a malicious attack, whether via a former employee or malicious software controlling entities?

InformationWeek stated, while commenting on the Ponemon Institute study on the Cost of a Data Breach, “Customers, it seems, lose faith in organizations that can’t keep data safe, and take their business elsewhere.” Negative press and public mistrust are the natural consequences for loss of data, exposure to data misuse, or poor data security. These consequences are far more detrimental to the little guy. One in five small businesses falls victim to cybercrime each year and 60 percent of them go out of business within six months after the attack (National Cyber Security Alliance).

That’s why protecting your business from cyber risks — especially those placing your customers in jeopardy — will be one of the most important business moves you make.

CSPF Announces Second Annual Women In Security Lecture Series

The Canadian Security Partners’ Forum (CSPF) is preparing
their second Women in Security Lecture Series to be held Feb 7, 2013. Building
on the momentum of last year’s sold-out-event, CSPF will be hosting the event
at the Hampton Inn, Ottawa, ON. With tickets going on sale just a week ago and nearly
150 tickets already being sold, it looks like they will have another sell out on their hands.

The main premise of CSPF is to build strong networks and
the Lecture Series is no different. CSPF has partnered with firmly established
and recognized associations including Canadian Women in Technology (CanWIT),
ASIS Women in Security Council, Women in Security Ontario (WiSO), and Key Women
in Security (KeyWIS).

The Lecture Series is dedicated to women in security
mainly as a tribute to the associations that are part of the Series, but the
event is open to both women and men. Last year 45% of attendees were men.

The
CSPF has been mapping the needs of the cybersecurity and security communities
to build out a comprehensive agenda for the Lecture Series.

Key topics being
covered at the event include:

Cybersecurity
Security Risk Management
CSO/CISO Training & Education
Security & Academia
The relationship between security & intelligence
Security as a driver of shareholder value
Summarizing
relationship between national security & corporate security

The panel was
specifically selected to represent depth of knowledge as well as breadth of
experience. They will bring their extensive knowledge and compelling experience
(National Security Council, US Department of Energy, Central Intelligence
Agency) to make the discussions both informative and practical.

The list of
elite presenters includes:

LISA GORDON-HAGERTY, MPH

– Founder, CEO, LEG Inc.
– Named to Fortune Magazine’s Most Powerful Women
in 2004, 2005 & 2006
– Served on the White House National Security
Council (NSC) as Director for Combating Terrorism
– Former Director, Office of Emergency Response, US
Department of Energy
– Former Acting Director, Office of Weapons Surety,
responsible for the safety and security of the American
nuclear weapons program

DJENANA CAMPARA

– President and CEO of KDM Analytics;

– Author of System Assurance: Beyond Detecting
Vulnerabilities (2011)

– 25+ years of experience and leadership in
software and security engineering

– Board Member for the Object Management Group
(OMG), an international standard body

– Co-Chair, OMG Architecture-Driven Modernization
Task Force and System Assurance Task Force

– Member of the SAS Technical Advisory Panel of
National Institute for Standards and Technology (NIST)

For more
information and to register visit: http://cspfwomeninsecurity2013.eventbrite.ca/

CounterMeasure|2012

We
proudly sponsored CounterMeasure|2012 this year and found it lived up to all our
expectations.

The quality of the event was impressive, especially considering it was its
first year, and drew in attendees, presenters and vendors from across Canada
and the U.S. It was of course great to meet up with colleagues and old friends, but having a conference like this in Canada’s capital is not just important. It’s necessary.

Public Safety Minister Vic Toews says Canada is going to take cyber security seriously, with budget additions and action plans, but there is more to it than that, and alliances and cooperation have to take place outside governments as well. That’s where conferences like CounterMeasure come in, uniting the right minds in security to bring about wide-scale change. Sometimes this starts with the basics.

Some of the CounterMeasure presentations we attended and discussions we participated in were focused on the need for organizations to focus on security fundamentals such as IDS and network segmentation. Other conversations and talks were about the need for collaboration or the scope of the war waged between security professionals on both sides of the game. Some talks drilled down into the details of malware analysis and it was all received very well by the attending community.

There
were a good number of people to connect with over the two days. Good number as
in you weren’t lost in a sea of people but instead had the opportunity to meet
with everyone there. There was the time and space to have a meaningful conversation
and talk about new theories, analysis as well as current events that are making
the news.

CounterMeasure
put a good face on this call for change in security by addressing the current needs and
drawing a broad section of security focused executives, managers and technical
engineers to join in and expand the conversation.

We
look forward to sponsoring, participating and meeting with you at
CounterMeasure|2013.

Cyber Security Made Easy – Part 4

The topic of creating great passwords has been visited many
times by many people, yet it remains relevant and important because common
passwords are still too common. As educators often feel the pain of knowledge
falling on deaf ears, we beat this horse once again in hopes that one or two
new pupils may take heed.

Make better passwords!

When creating your list of passwords one tip is to ensure
your password does not rank as one of the world’s most popular passwords such as “Jesus,” “Ninja” and “Qwerty.”

You can also visit our previous blog that covers the basics
on making passwords more effective. Let’s say that your email password is
“whiskers”, the name of your no doubt lovable cat. You can easily keep
the familiarity of the password while increasing its effectiveness as a
password.

Old password: whiskersNew password: I have loved Whiskers since
2004!

Easy to remember, and vastly more secure than
the original password. If you can’t use spaces, simply remove them.

Whenever possible, use words and terms which
can’t be found in a dictionary. This sounds harder than it is. You
can use altered spelling, nicknames, and clues instead of the actual term.

Old password: I love icecream

New password: !love1c3cr3am

You can also visit trusted
opinion leaders such as the Canadian site Get Cyber Safe that
highlights:

· Don’t stay logged into a site but login each
time you visit the site
· Clear browsing history or cache after online
banking and shopping
· Avoid using a single dictionary word

Or the American site Stop.Think.Connect. that includes:

· Keep a separate password for each account
· Make passwords long and strong including
capital, lowercase, numbers and symbols
· Limit how and who has access to what you post by
using privacy settings on websites and set to your level of comfort

Our next blog will cover a list of resources.

Hidden security costs: Should Huawei and ZTE be singled out?

the R&D building of Huawei Technology in Shenzhen, China. (Photo credit: Wikipedia)

We all
like the price of Chinese goods but now it seems there might be a hidden cost.

After
a year-long study the U.S. House Select Committee on Intelligence has warned Americans not to do business with Huawei or state owned ZTE. When asked by CBS 60 Minutes, if he would do business with Huawei Mike Rogers replied, “If
I were an American today, and I tell this to you as the Chairman of the House Permanent
Select Committee on Intelligence, and you were looking at Huawei I would find
another vendor. If you care about your intellectual property, if you care about
your consumer’s privacy and you care about the national security of the United
States of America.”

Huawei’s
security issues were also in the news as recently as this past July at DEFCON 2012. Computerworld covers the discussion and lists the main concerns as: there
was no specific contact for security issues, no security advisory updates and there
was no update on bugs found and fixed. The researchers couldn’t comment on any
issues with the “big
boxes” like the Huawei NE series routers because they couldn’t
obtain them. The article ended with a hope that Huawei would follow the lead of American companies like Microsoft, Cisco and Apple that had listened to consumer
demand and improved their security.

These
are significant concerns being expressed that need to be taken
seriously especially when it comes to infrastructure. While we can’t
prevent cyber-espionage, are we giving them the keys to the vault by bringing
them into our data centres? There shouldn’t be any question of trust or security.

With
these concerns in mind the Canadian government is building out and replacing
their data systems that were “contaminated beyond repair” by massive Chinesecyber-attacks in 2010. Among the list of companies that is being considered for
this multi-billion dollar project is Huawei.

While
the equipment may not have malware or vulnerabilities built into it now, it does have this
potential through updates and patches.While the Chinese
government may have no role in either of these companies now, they may in the
future.

We all like the price
of Chiese goods. What we might not like is the potential security costs.

What do you think? Should Huawei and ZTE
be singled out? Should the government source only domestic equipment? Have they crossed the line by going public
with this? Is this a case of the
government meddling in corporate affairs or do you think the issues that were
reported at DEFCON and by the committee provide enough justification?

Canadian Security Partners’ Forum – Effective Resource for Security Executives

Canada (Photo credit: palindrome6996)

Canadian security executives have long needed the proper
support system and forum regarding the landscape of security in Canada. The Canadian Security Partners’ Forum (CSPF)
is answering that need. The Forum is a unique network that in just one year has
grown to include over 80 organizations that represent most horizontals in most
verticals across industry sectors.

The Forum’s success can be traced back to its founder, Grant
Lecky, who has a diverse background in security and risk management and a
strong focus on business continuity planning and emergency planning and
organizational resilience. Lecky was recently acknowledged by Security Magazine for his efforts, identifying him as one of ‘The Most Influential People in
Security 2012’.

Security executives, educators and thought leaders have all
embraced the Forum’s concepts and goals, helping to overcome the isolation of
silos that often gets in the way for most other organizations.

Bonnie Butlin, Executive Director for CSPF, has observed that “you usually don’t see such swift growth in helpful agile networks. It’s more
often observed in threat networks.”

One of the many ways the CSPF helps to work with the
security community is to be a catalyst and facilitator to help inspire
conversations followed by action to build new networks that fill recognized
voids. As the Forum’s Executive Director, Butlin tracks trends in the news as
well as in forum discussions to identify gaps in the community, and then brings
them forward to be addressed by the Forum participants. By proactively engaging
discussions on observed trends the Forum and its participants can respond to
topics of concern as they arise, not just after the fact.

In the upcoming October issue of Vanguard, CSPF
will be featured in an article outlining just how effective the organization
has become in addressing the foundation needs in joint force development. The
article is based on the Joint Staff’s study “Decade of War Volume I: Enduring
Lessons from the Past Decade of Operations”, which highlights 11 strategic themes
for enabling responsiveness, versatility and affordability for collaborative
mission focused groups. Originally used as a post-Iraq evaluation, the themes
are applied to the security community and the CSPF.

Defence Intelligence is proud to support the CSPF and the
security community at large in proactively combatting threats to Canadian and
North American networks.

Inside Look at our CEO

advantage magazine profiles Keith Murphy, CEO of Defence Intelligence.

Related articles