SlideShare a Scribd company logo

NCSO

Download as DOC, PDF
A
Avraham Lerner

The document discusses the need for a National Cyber Security Standard (NCSS) in the United States. It summarizes four major cyber attacks since 2013 on Target, Sony, and Anthem to illustrate the growing threat of cyber attacks and data breaches. These attacks showed vulnerabilities in security practices that could be addressed by an NCSS established by a National Cyber Security Organization. The attacks stole personal and financial data of millions of customers and demonstrated lax security standards and protocols.

1 of 15
Avraham Lerner Professor Kurt Rohloff Project Paper The Need for a NCSS (National Cyber Security Standard) As we move further and further into the 21st century, everyone in the country and throughout the world is becoming more and more dependant on the Internet. From baby boomers to millennials and beyond, more of our daily lives are occurring through the Internet, whether it is shopping, banking, or even checking on our medical care. Unfortunately, our growing reliance on the Internet is also causing a rise in cyber attacks and data breaches on all types of companies, with the intent to steal data. Data on it’s own has very little value, but when gained and traded for other information it can become quite valuable and earn a fortune for the new age of hackers and thieves. It is for this reason that any sort of data breach can be at best worrying and at worst a terrible loss of money, security and trust. Recent attacks have put many sectors on edge, and it’s possible that these attacks can be deterred if not lessened in impact. Perhaps it’s not a bad idea to establish a NCSS by an NCSO1 designed to preemptively look at prior attack patterns to predict future movements, and establish a standard for companies choosing to join, to implement and follow. I will be looking at 4 recent attacks since 2013 to explain the reasoning behind the proposal.2 Then I will show what standards are needed for the 1 I will be using these terms to describe what the proposed organization will be. The names are proposals and not official. NCSS stands for National Cyber Security Standard and NCSO stands for National Cyber Security Organization. 2 I wanted to use the 2011 Sony Network Intrusion and the 2007 TJ Maxx hack, but the cause still isn’t clear for the Sony attack, only hypothesized and Sony is withholding
NCSO, what the organization will and will not do, and answer any concerns people may have about the potential security group. In 2013, many people hadn’t seen much in terms of a large wide scale cyber attack on an American business, so therefore many people were trusting of businesses like Target. Prior attacks were due to complete incompetence and laziness, so one would hope that in this day, that kind of lax security was unacceptable and quickly rectified. Unfortunately, it was not. On December 18th , 2013, Brian Krebs of Krebs Security first leaked a report that Target was the victim of a data breach, yet those two words hid a more ominous message. “There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.”3 This would mean that a large-scale credit card theft would be possible. Similar to a credit card skimmer put at regular ATMs, they could obtain information and withdraw from people’s accounts. If only the PIN data was safe then at least some of the tide could be stemmed. Oops. “According to the company, Target does not have access to nor does it store the encryption key within its computer systems. When a Target customer uses a debit card in one of the company's stores and enters his or her PIN, the number is encrypted at the keypad with a widely used security program known as Triple DES, the company said.”4 Turns out the PIN were also stolen, telling the public the reason. As for TJ Maxx, the cause was the weak WEP wireless one store was using that literally allowed the attackers to waltz on in. 3 Krebs, 2013 4 McCoy, 2013
yet the 3DES system used by Target thankfully isn’t in their control, or it’s possible that that would have been compromised as well, based on the fact that the PIN were so easily obtainable. Target as a result suffered quite a bit due to the security snafu. “The Minneapolis company also said that it now foresees fourth-quarter sales at stores open at least a year will be down about 2.5 percent. It previously predicted those sales would be about flat.”5 As a result of the data breach that only lasted a bit under 3 weeks, up to 70 million customers had some data stolen, whether it was through credit or debit card information. The question that still lies though is could this have been prevented altogether? Before answering that, there should be an investigation further into the breach. A little less than a month after he first released the story, Brian Krebs was back on it, looking at what tools were used. It was discovered that the attackers managed to install malware on the Point of Sales checkout at Target stores and from there, were able to set up the attack. “According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of- sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –“POSWDS”). Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.6 The malware had been in use for nearly 18 months and apparently was not too closely checked. This allowed it to be used in the Target breach and it took a couple of weeks for the company to realize it. While it’s hard to say when the actual malware was installed, 5 d’Innocenzio and Chapman, 2014 6 Krebs, 2014
there should be a greater vigilance on these devices if they can potentially be compromised. Two weeks later, Krebs released a report documenting who is selling the credit cards and information stolen in the Target data breach. A group of hackers had been selling the cards en masse in order to make as much profit as they could as quickly as they can. Meanwhile, the cybercrook known as Rescator and his merry band of thieves who are selling cards stolen in the Target breach continue to push huge new batches of stolen cards onto the market. In an update on Jan. 21, Rescator’s network of card shops released for sale another batch of two million cards apparently stolen from Target, a collection of cards which these crooks have dubbed “Eagle Claw.”7 They found a weak target to exploit and they gladly took advantage of it. But why exactly was it so weak? Was there something on their system that didn’t work properly? The answer to that is yes, as Michael Riley writes. “On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then … Nothing happened.”8 That’s not good. Apparently they had the security in place to rectify the problem 3 days in but they did nothing about it. They just sat there and ignored the update. Someone should be (and was) fired for that, but it’s too late for that firing to change the outcome. Target lost a lot of customers for a period of time, and even the ones who stayed opted to use cash only for a while. 10 months after the attack was announced, Teri Radichel provided a case study on 7 Krebs, 2014 8 Riley, et al, 2014
the Target breach and what critical controls could have been utilized to prevent the attack. “Although many security measures were in place throughout the Target infrastructure, additional layers of protection would have stopped the attack at various points along the way. Applying a stronger Defense in Depth strategy would have ensured that each level was not accessible from the next. Additional defenses on the POS system itself could have further protected the data.”9 Using the in Depth strategy, the POS could have been implemented to have a kind of “deny all, then gradually accept” setup where only authorized software could have accessed the POS. With this intact, the malware would not have been able to run if it were as simple as experts claim. This was not the case though, and the malware ran rampant, destroying trust that was built up. The next attack on a major target occurred about a year later and was almost equally as baffling, as the target was a repeat offender of lax security. Whenever you are producing something that could offend a group of individuals, even if they are from a country where their threats could be just words, always make sure to have some type of control over your company lest they try to attack. In December of 2014 Sony Pictures Entertainment was subjected to a security breach by a group of hackers under the guise “Guardians of Peace”. The group managed to exfiltrate multiple terabytes of data files of sensitive information, including unreleased movies and medical files for workers at the company. The GoP said the attack was for Sony’s planned release of “The Interview”, a comedy about two Americans sent to North Korea to assassinate their dictator and the threats to never release the film, or else there will be consequences.10 Almost immediately, many different analysts weighed in on what they 9 Radichel, 2014 10 It should be noted that there is no direct connection linking Kim Jong Un’s regime for
thought occurred with the hack. “"This type attack is not new, it’s been around for a long time, with multiple examples. The most recent similarity is the ransomware that’s been attacking systems. These attacks are often difficult to detect prior to the execution of the payload. The best thing is a good backup scheme as part of your response. Many times the answer to modern malware infections is to reimage the system. In case this occurs on your system, a reimage is often the best response. The only thing that reimaging would not solve is having most current data like documents and spreadsheet. It’s this combination of reimaging and restoring backups that is the most efficient response to the attack. While this ‘fixes’ the host, network forensics should be done to identify the attack and create defenses against the attack in the future."”11 Apparently the attack wasn’t even sophisticated, according to this analyst, but rather an execution attack that cannot be prevented and the only real way to offset the risk is to have detailed backups of data, as the attack can prevent the creation of new backups. It seems ridiculous that a lack of backups could have allowed this attack to continue through, but it wouldn’t be surprising coming from a company that, during a previous network hack, responded to almost every question in the worst possible fashion.12 What is possibly the worst black eye that Sony could receive is that the attacks weren’t that sophisticated (as mentioned above). What that means is it didn’t take much to actually go and put through the attack. Stuart McClure, a CEO of a cybersecurity firm brought in to help Sony, described that the first attack Sony had in 2011 was certainly not that advanced. being responsible for the attacks. It’s entirely possible the hackers were using the movie’s plot and the North Korean anger about the film as a cover, or possibly NK provided some sponsorship for the hackers. 11 Kovacs, citing Kenneth Bechtel, 2014 12 I previously wrote a paper on the 2011 Playstation Network intrusion, and came to the conclusion that Sony was lax about what exactly was occurring in their network and equally non-responsive when questioned what could have been done to prevent the attack.
““With the Playstation hacks, Anonymous didn’t use anything unique and were able to get in easily and stay a long time,” McClure said. “I got the impression that [Sony] executives didn’t care. Some basic technologies could have prevented a large part of this. This level of destruction of a company on American soil is unprecedented, but my 15 year-old could have written the code.””13 That doesn’t really say much about the current attack, but it sort of explains that Sony was not really attentive or even caring about the prior attack, a huge red flag to any investors and users of Sony’s products. Yet, McClure says later on, he believes that the current attack was not even a computer program, but something else. “McClure said that his research leads him to believe the breach was accomplished through some sort of social engineering, rather than by a computer program.”14 That’s not really much better than if it were to be through a computer program, as the end result is the same, but it more shows the naivety of the company towards actual protection. This, unfortunately, is another theme of those who are attacked. They go on the assumption that they don’t need to be careful to prevent anything sensitive from coming out. That makes some of the stuff released in the attack dump, downright laughable. “One striking thing to have emerged from the data that the Guardians of Peace have so far disseminated is the lack of security around passwords at Sony, including the revelation of an embarrassingly simple password CEO Michael Lynton was apparently using. It’s a clear sign that the company did not have sufficient corporation-wide password standards.”15 Not sure it can get worse than that, other than Sony doesn’t seem to have any desire to show any type of security protocols for their company. This is a terrifying proposition for consumers to face in this day and age. The third attack I found is even more terrifying. 13 Raile, 2014 14 Ibid 15 Ibid
Not too long ago, everyone in America was required to have health insurance in order to offset the costs for medical procedures. Ideally, all of the managed health care providers would be immune to an attack due to the added customers AND due to the Health Insurance Portability and Accountability Act (HIPAA) having guidelines for what security is necessary for online transfers of health care information. Sadly, this wasn’t the case at Anthem Inc., one of the largest managed health care providers in the country. From late December 2014 to late January 2015, hackers managed to seize nearly 80 million customers’ Social Security numbers and other sensitive information from Anthem servers. The attack was unprecedented in the industry as it was the largest attack on a health care insurer in the United States. There is no answer as to who is behind it exactly, but there have been clues left to follow. “[Adam] Meyers said the breach fits the pattern of a hacking unit that Crowdstrike calls Deep Panda, which over the last several months has targeted both defense contractors and the health care industry. China appears to be putting together huge databases of individuals who might be intelligence targets, he said. Another example was the theft last year from a government agency of data on tens of thousands of employees who had applied for top-secret clearances, he said.”16 Once again, there is no actual answer as to who did it, but rather there is an answer as to what kind of group did it, one that is searching for a way to sell information. If the Chinese were indeed behind it, then the goal was for both trade secrets and espionage, just to figure out what America is up to. The worst part of the hack isn’t that it happened but rather it could have been prevented. All of the data stolen from Anthem’s servers were not well protected. “Health insurer Anthem says the hacked database containing the personal information of 80 16 Riley, 2015
million people wasn't encrypted.”17 That’s a bit troubling. Why wasn’t this encrypted? “Under the federal Health Insurance Portability and Accountability Act (HIPAA), health insurance companies are not required to encrypt the data stored on their servers. The HIPAA ruling recommends using encryption if the health insurer believes it's an appropriate measure to mitigate risk. But lacking a specific requirement essentially leaves it up to each company to decide how to protect its data.”18 That makes it worse. A lot worse than just having a single company not follow guidelines to data encryption standards, but to have the company partially not at fault due to the security standard it is required to follow not actually fixing an ambiguous situation makes one wonder if it was an oversight or a complete unforeseen situation that nobody at Anthem or HIPAA even imagined. There could be a simple fix to this and it would be through encryption of data as a mandatory requirement. Nicolas Terry, a law professor from the University of Indiana, mentions that the company would need to do individual assessment as to what needs encryption and what doesn’t. In addition, he mentions a change needed at HIPAA “As I have argued elsewhere, if healthcare entities fail to encrypt given the current environment (and the risk of extremely serious HIPAA sanctions if the assessment is flawed or poorly documented) maybe the Security Rule should be amended to require encryption.”19 It will be interesting to see if HIPAA does do this, or at least correct the gaping hole they currently have in letting the individual companies decide upon what encryption they feel is enough. It’s better for someone outside to also be able to figure out what security would be enough. All of the above breaches, and others not mentioned, seem to stem from a misuse or lack of knowledge of proper security procedures for the data involved. It almost feels 17 Whitney, 2015 18 Ibid 19 Terry, 2015
as if people seem to understate the value of the data contained on their servers up to the point where the data is no longer available or the data actually contains sensitive information that could cost the company money. Yes, money is the main reason that these companies do all that they do in terms of product sales and offers, but it is also the same aspect used when developing security, and that is to do the best job possible with the least amount of money needed to invest. Sadly for these companies, the option was chosen just to do the job for the least amount of money necessary and possibly not double check the configuration that they use for security so to have a 2nd opinion.20 In addition, if a company is not sure what attacks are being attempted on their sector, why not use a honeypot to “test the waters” and figure out what’s going on. “Now, when worms and attackers hit, they attack both your honeypot and your legitimate web server. Because your honeypot has no legitimate uses you can quickly identify the attack traffic and use that information to build better defenses.”21 It’s understandable though why companies wouldn’t utilize a honeypot if it were an expensive cash outlay. Then again, why would you take future funds away now if you could potentially solve a problem? This is where I feel the establishment of the NCSS or the NCSO will have it’s most useful purpose, in that it will establish a standard that is more direct than the prior organizations. I would liken it to a CERT but for commercial purposes and not necessarily a wide-scale spectrum. The goal of this organization is threefold. One: To reduce cost for configuration and setup of individual companies’ needs for security tools. Two: To monitor and track each of these configurations in order to determine attack 20 Not all opinions are useless. If you have a security expert available you should check with him to make sure that the configuration the company has is suitable. 21 Cole & Northcutt, 2013
patterns and model honeypot systems off of the individual companies’ networks. Three: To push for changes in HIPAA and other monitoring organizations by focusing on trends and being proactive in determining future types of attacks. The main point of all of these goals is to tighten all of the bolts in the workings of security. I realize this is a very idealistic setup and not extremely practical or likely, but it needs to be kept as a goal to both aspire and work towards. Apparently I am 6 months late on my proposal as this isn’t something innovative. Steven Overly in October of 2014 wrote about the National Cybersecurity Center of Excellence in the metro Washington D.C. area and it’s aims. “The National Cybersecurity Center of Excellence in Rockville aims to solve one of cybersecurity’s toughest challenges: getting companies to speak honestly about the threats they face and the steps they’re taking to thwart them.”22 This is exactly what my proposal looks to do. Take down barriers in order to improve the security for everyone involved.23 Most companies hopefully will come to their senses and see this as a good opportunity with all of the security and data compromises occurring. The proposal though can have its counter arguments though. One of the biggest ones is that the companies still may not want to disclose what they feel are trade secrets to rival companies in the same field. Trade secrets and patents are definitely information that the third party company needs to keep confidential. The goal of the organization is to make sure the information is not leaked. If need be, the organization will utilize a generic file that mimics what the sensitive data is, and then use that to test it with 22 Overly, 2014 23 This would also solve a problem I had mentioned earlier regarding Sony’s lack of disclosure as to what caused the 2011 hack (or the 2014 one, for that matter), the NCSO will not disclose this information to the public, but will improve on the security lapses.
different types of security protocols. The second problem that could arise is that there is no mandatory attendance. Thankfully, we are in a country where companies are allowed to pursue any endeavor they choose. Some may believe that going into a joint security group isn’t practical for them, or they want to deal with paying for their own security. That’s their choice. This would merely serve as an option for them if they want to collaborate on security details and find out where they can improve on their own design and share ideas that they have found to be effective. The final argument that could be raised is that the effectiveness of the security won’t be determined until it fails. What these people would be arguing is that it’s next to impossible to be proactive on security because you wouldn’t think of improving upon something so secure until it’s proven to not be secure. In truth, it is possible to be proactive in security if the proper methods are taken. If the organization as a whole chooses to test a new implementation against an SQL injection and puts it up as a honeypot, if the honeypot returns no breach then the implementation can be regarded as a success and will undergo more tests. If it’s seen as a failure, then it will be retooled or scrapped. Security isn’t something that can necessarily be bought, it has to be applied, tested and compared, no different than what R&D you would perform on a car in order to maximize power and fuel efficiency. Naysayers of the plan need to look no further then the growing trends in the industry and the world as a whole to see that cyber attacks are increasing in both frequency and magnitude. Even if companies do offer to check for things like credit monitoring for customers affected, one of the worst things they could do is announce how long the monitoring will occur for. “Criminals who get Social Security or health insurance account numbers have shown
more sophistication than the average fraudster, said Pam Dixon, executive director of the World Privacy Forum. Rather than use the information right away, she said, some crooks will sit on Social Security or insurance files for a year or more before using them fraudulently. ‘‘What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent’’ about monitoring their accounts for fraud, she said.”24 I see it as basically giving an open door to the criminals by blatantly announcing this monitoring plan. I understand the reasoning, but it needs to be done more discretely. This is the art of security. It should be discrete enough so that the people inside of the company are aware of it’s presence and can feel safe about their information, yet also powerful enough to ward off any sort of external intrusion so that the hackers will have to try something else, or look for another target. It may not be feasible to believe that any sort of security organization can fully eliminate data breaches; after all, accidents and glitches happen. The NCSO though aims to mitigate as many attacks as possible, and this is the reason for it’s necessity in today’s fight in cybersecurity. 24 Murphy & Bailey, 2015
Works Cited: • Cole, E., & Northcutt, S. (2013, n.d.). Security Laboratory. Retrieved April 27, 2015, from http://www.sans.edu/research/security-laboratory/article/honeypots- guide • D'Innocenizo, A., & Chapman, M. (2014, January 10). Target: Breach affected millions more customers. Retrieved April 18, 2015, from http://finance.yahoo.com/news/target-breach-affected-millions-more- 184807005.html • Kovacs, E. (2014, December 5). Industry Reactions to Devastating Sony Hack. Retrieved April 24, 2015, from http://www.securityweek.com/industry-reactions- devastating-sony-hack • Krebs, B. (2014, January 29). New Clues in the Target Breach. Retrieved April 23, 2015, from http://krebsonsecurity.com/2014/01/new-clues-in-the-target- breach/ • Krebs, B. (2014, January 15) A First Look at the Target Intrusion, Malware. Retrieved April 26, 2015, from http://krebsonsecurity.com/2014/01/a-first-look- at-the-target-intrusion-malware/ • Krebs, B. (2013, December 18). Sources: Target Investigating Data Breach. Retrieved April 25, 2015, from http://krebsonsecurity.com/2013/12/sources- target-investigating-data-breach/ • McCoy, K. (2013, December 27). Target confirms encrypted PIN data stolen. Retrieved April 19, 2015, from http://www.usatoday.com/story/money/business/2013/12/27/target-confirms- encrypted-pin-data-stolen/4219415/ • Murphy, T., & Bailey, B. (2015, February 6). Why hackers are targeting the medical sector - The Boston Globe. Retrieved April 17, 2015, from http://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting- medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html • Overly, S. (2014, October 12). Washington wants to become a hub for cybersecurity companies. Can it be done? Retrieved April 25, 2015, from http://www.washingtonpost.com/business/capitalbusiness/washington-wants-to- become-a-hub-for-cybersecurity-companies-can-it-be- done/2014/10/10/2ec43b54-4d77-11e4-babe-e91da079cb8a_story.html • Raile, D. (2014, December 21). Sony Hack Was Not All That Sophisticated, Cybersecurity Experts Say. Retrieved April 25, 2015, from
http://www.billboard.com/articles/business/6413955/sony-security-kevin-mitnick- electronic-frontier • Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved April 15, 2015, from http://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical- controls-prevented-target-breach-35412 • Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Target Missed Warnings in Epic Hack of Credit Card Data. Retrieved April 26, 2015, from http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms- in-epic-hack-of-credit-card-data#p1 • Riley, M. (2015, February 5). Chinese State-Sponsored Hackers Suspected in Anthem Attack. Retrieved April 22, 2015, from http://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored- hackers-seen-in-anthem-attack • Terry, N. (2015, February 7). Bill of Health. Retrieved April 26, 2015, from http://blogs.law.harvard.edu/billofhealth/2015/02/07/time-for-a-healthcare-data- breach-review/ • Whitney, L. (2015, February 6). Anthem's stolen customer data not encrypted - CNET. Retrieved April 22, 2015, from http://www.cnet.com/news/anthems- hacked-customer-data-was-not-encrypted/

Recommended

Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018
malvvv
 
CSCSS Report: Game Netorks, Terrorism and Hacking
CSCSS Report: Game Netorks, Terrorism and HackingCSCSS Report: Game Netorks, Terrorism and Hacking
CSCSS Report: Game Netorks, Terrorism and Hacking
Centre for Strategic Cyberspace + Security Science
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
- Mark - Fullbright
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Mark Anderson on Cyber Security
Mark Anderson on Cyber SecurityMark Anderson on Cyber Security
Mark Anderson on Cyber Security
Meg Weber
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
Jamie Moore
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?Enrique J Cordero
 
A Cyber Security Review
A Cyber Security ReviewA Cyber Security Review
A Cyber Security Review
Simon Moffatt
 

Recommended

Eset trends report_2018
Eset trends report_2018Eset trends report_2018
Eset trends report_2018
malvvv
 
CSCSS Report: Game Netorks, Terrorism and Hacking
CSCSS Report: Game Netorks, Terrorism and HackingCSCSS Report: Game Netorks, Terrorism and Hacking
CSCSS Report: Game Netorks, Terrorism and Hacking
Centre for Strategic Cyberspace + Security Science
 
Sophos Security Threat Report 2014
Sophos Security Threat Report 2014Sophos Security Threat Report 2014
Sophos Security Threat Report 2014
- Mark - Fullbright
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Mark Anderson on Cyber Security
Mark Anderson on Cyber SecurityMark Anderson on Cyber Security
Mark Anderson on Cyber Security
Meg Weber
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
Jamie Moore
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?Enrique J Cordero
 
A Cyber Security Review
A Cyber Security ReviewA Cyber Security Review
A Cyber Security Review
Simon Moffatt
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
Комсс Файквэе
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
centralohioissa
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
malvvv
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
malvvv
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
Maira Asif
 
Cyber war
Cyber warCyber war
Cyber war
Praveen
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
Комсс Файквэе
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up book
Diego Souza
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
EnclaveSecurity
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019
BluePayProcessing
 
Cyberwarfare
CyberwarfareCyberwarfare
CyberwarfareSpace Defense Newsletter
 
McGregor Watkins
McGregor WatkinsMcGregor Watkins
McGregor Watkins
Knight Center
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
Talwant Singh
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017
Accelerate Tech
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
Paul Walsh
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-naAndreas Hiller
 
Cyber security master class 2018
Cyber security master class 2018Cyber security master class 2018
Cyber security master class 2018
Sanjana Khound
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrence
Bikrant Gautam
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonUlf Mattsson
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
Netop
 

More Related Content

What's hot

Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
Комсс Файквэе
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
centralohioissa
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
malvvv
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
malvvv
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
Maira Asif
 
Cyber war
Cyber warCyber war
Cyber war
Praveen
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
Комсс Файквэе
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up book
Diego Souza
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
EnclaveSecurity
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019
BluePayProcessing
 
McGregor Watkins
McGregor WatkinsMcGregor Watkins
McGregor Watkins
Knight Center
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
Talwant Singh
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017
Accelerate Tech
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
Paul Walsh
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-naAndreas Hiller
 
Cyber security master class 2018
Cyber security master class 2018Cyber security master class 2018
Cyber security master class 2018
Sanjana Khound
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrence
Bikrant Gautam
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 

What's hot (20)

Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
 
Cyber war
Cyber warCyber war
Cyber war
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up book
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019
 
Cyberwarfare
CyberwarfareCyberwarfare
Cyberwarfare
 
McGregor Watkins
McGregor WatkinsMcGregor Watkins
McGregor Watkins
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDC
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-na
 
Cyber security master class 2018
Cyber security master class 2018Cyber security master class 2018
Cyber security master class 2018
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrence
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 

Similar to NCSO

Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonUlf Mattsson
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
Netop
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
Cristian Garcia G.
 
Cybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connectionCybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connection
ESET Middle East
 
9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula
Regula
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsBen Graybar
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES
- Mark - Fullbright
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
Spark Security
 
iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigation
Hayden McCall
 
Retail
Retail Retail
Retail
CMR WORLD TECH
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Perform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdfPerform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdf
fasttrackcomputersol
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
CMR WORLD TECH
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
Core Security
 
10 Things to Watch for in 2016
10 Things to Watch for in 201610 Things to Watch for in 2016
10 Things to Watch for in 2016
Courion Corporation
 
Securing information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPSecuring information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WP
Philippe Boivineau
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 

Similar to NCSO (20)

Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
 
Cybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connectionCybersecurity Trends 2018: The costs of connection
Cybersecurity Trends 2018: The costs of connection
 
9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools Tactics
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigation
 
Retail
Retail Retail
Retail
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
Perform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdfPerform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdf
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business Ready
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
 
10 Things to Watch for in 2016
10 Things to Watch for in 201610 Things to Watch for in 2016
10 Things to Watch for in 2016
 
TME0212-49
TME0212-49TME0212-49
TME0212-49
 
Securing information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WPSecuring information in the New Digital Economy- Oracle Verizon WP
Securing information in the New Digital Economy- Oracle Verizon WP
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 

NCSO

  • 1. Avraham Lerner Professor Kurt Rohloff Project Paper The Need for a NCSS (National Cyber Security Standard) As we move further and further into the 21st century, everyone in the country and throughout the world is becoming more and more dependant on the Internet. From baby boomers to millennials and beyond, more of our daily lives are occurring through the Internet, whether it is shopping, banking, or even checking on our medical care. Unfortunately, our growing reliance on the Internet is also causing a rise in cyber attacks and data breaches on all types of companies, with the intent to steal data. Data on it’s own has very little value, but when gained and traded for other information it can become quite valuable and earn a fortune for the new age of hackers and thieves. It is for this reason that any sort of data breach can be at best worrying and at worst a terrible loss of money, security and trust. Recent attacks have put many sectors on edge, and it’s possible that these attacks can be deterred if not lessened in impact. Perhaps it’s not a bad idea to establish a NCSS by an NCSO1 designed to preemptively look at prior attack patterns to predict future movements, and establish a standard for companies choosing to join, to implement and follow. I will be looking at 4 recent attacks since 2013 to explain the reasoning behind the proposal.2 Then I will show what standards are needed for the 1 I will be using these terms to describe what the proposed organization will be. The names are proposals and not official. NCSS stands for National Cyber Security Standard and NCSO stands for National Cyber Security Organization. 2 I wanted to use the 2011 Sony Network Intrusion and the 2007 TJ Maxx hack, but the cause still isn’t clear for the Sony attack, only hypothesized and Sony is withholding
  • 2. NCSO, what the organization will and will not do, and answer any concerns people may have about the potential security group. In 2013, many people hadn’t seen much in terms of a large wide scale cyber attack on an American business, so therefore many people were trusting of businesses like Target. Prior attacks were due to complete incompetence and laziness, so one would hope that in this day, that kind of lax security was unacceptable and quickly rectified. Unfortunately, it was not. On December 18th , 2013, Brian Krebs of Krebs Security first leaked a report that Target was the victim of a data breach, yet those two words hid a more ominous message. “There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.”3 This would mean that a large-scale credit card theft would be possible. Similar to a credit card skimmer put at regular ATMs, they could obtain information and withdraw from people’s accounts. If only the PIN data was safe then at least some of the tide could be stemmed. Oops. “According to the company, Target does not have access to nor does it store the encryption key within its computer systems. When a Target customer uses a debit card in one of the company's stores and enters his or her PIN, the number is encrypted at the keypad with a widely used security program known as Triple DES, the company said.”4 Turns out the PIN were also stolen, telling the public the reason. As for TJ Maxx, the cause was the weak WEP wireless one store was using that literally allowed the attackers to waltz on in. 3 Krebs, 2013 4 McCoy, 2013
  • 3. yet the 3DES system used by Target thankfully isn’t in their control, or it’s possible that that would have been compromised as well, based on the fact that the PIN were so easily obtainable. Target as a result suffered quite a bit due to the security snafu. “The Minneapolis company also said that it now foresees fourth-quarter sales at stores open at least a year will be down about 2.5 percent. It previously predicted those sales would be about flat.”5 As a result of the data breach that only lasted a bit under 3 weeks, up to 70 million customers had some data stolen, whether it was through credit or debit card information. The question that still lies though is could this have been prevented altogether? Before answering that, there should be an investigation further into the breach. A little less than a month after he first released the story, Brian Krebs was back on it, looking at what tools were used. It was discovered that the attackers managed to install malware on the Point of Sales checkout at Target stores and from there, were able to set up the attack. “According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of- sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –“POSWDS”). Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.6 The malware had been in use for nearly 18 months and apparently was not too closely checked. This allowed it to be used in the Target breach and it took a couple of weeks for the company to realize it. While it’s hard to say when the actual malware was installed, 5 d’Innocenzio and Chapman, 2014 6 Krebs, 2014
  • 4. there should be a greater vigilance on these devices if they can potentially be compromised. Two weeks later, Krebs released a report documenting who is selling the credit cards and information stolen in the Target data breach. A group of hackers had been selling the cards en masse in order to make as much profit as they could as quickly as they can. Meanwhile, the cybercrook known as Rescator and his merry band of thieves who are selling cards stolen in the Target breach continue to push huge new batches of stolen cards onto the market. In an update on Jan. 21, Rescator’s network of card shops released for sale another batch of two million cards apparently stolen from Target, a collection of cards which these crooks have dubbed “Eagle Claw.”7 They found a weak target to exploit and they gladly took advantage of it. But why exactly was it so weak? Was there something on their system that didn’t work properly? The answer to that is yes, as Michael Riley writes. “On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then … Nothing happened.”8 That’s not good. Apparently they had the security in place to rectify the problem 3 days in but they did nothing about it. They just sat there and ignored the update. Someone should be (and was) fired for that, but it’s too late for that firing to change the outcome. Target lost a lot of customers for a period of time, and even the ones who stayed opted to use cash only for a while. 10 months after the attack was announced, Teri Radichel provided a case study on 7 Krebs, 2014 8 Riley, et al, 2014
  • 5. the Target breach and what critical controls could have been utilized to prevent the attack. “Although many security measures were in place throughout the Target infrastructure, additional layers of protection would have stopped the attack at various points along the way. Applying a stronger Defense in Depth strategy would have ensured that each level was not accessible from the next. Additional defenses on the POS system itself could have further protected the data.”9 Using the in Depth strategy, the POS could have been implemented to have a kind of “deny all, then gradually accept” setup where only authorized software could have accessed the POS. With this intact, the malware would not have been able to run if it were as simple as experts claim. This was not the case though, and the malware ran rampant, destroying trust that was built up. The next attack on a major target occurred about a year later and was almost equally as baffling, as the target was a repeat offender of lax security. Whenever you are producing something that could offend a group of individuals, even if they are from a country where their threats could be just words, always make sure to have some type of control over your company lest they try to attack. In December of 2014 Sony Pictures Entertainment was subjected to a security breach by a group of hackers under the guise “Guardians of Peace”. The group managed to exfiltrate multiple terabytes of data files of sensitive information, including unreleased movies and medical files for workers at the company. The GoP said the attack was for Sony’s planned release of “The Interview”, a comedy about two Americans sent to North Korea to assassinate their dictator and the threats to never release the film, or else there will be consequences.10 Almost immediately, many different analysts weighed in on what they 9 Radichel, 2014 10 It should be noted that there is no direct connection linking Kim Jong Un’s regime for
  • 6. thought occurred with the hack. “"This type attack is not new, it’s been around for a long time, with multiple examples. The most recent similarity is the ransomware that’s been attacking systems. These attacks are often difficult to detect prior to the execution of the payload. The best thing is a good backup scheme as part of your response. Many times the answer to modern malware infections is to reimage the system. In case this occurs on your system, a reimage is often the best response. The only thing that reimaging would not solve is having most current data like documents and spreadsheet. It’s this combination of reimaging and restoring backups that is the most efficient response to the attack. While this ‘fixes’ the host, network forensics should be done to identify the attack and create defenses against the attack in the future."”11 Apparently the attack wasn’t even sophisticated, according to this analyst, but rather an execution attack that cannot be prevented and the only real way to offset the risk is to have detailed backups of data, as the attack can prevent the creation of new backups. It seems ridiculous that a lack of backups could have allowed this attack to continue through, but it wouldn’t be surprising coming from a company that, during a previous network hack, responded to almost every question in the worst possible fashion.12 What is possibly the worst black eye that Sony could receive is that the attacks weren’t that sophisticated (as mentioned above). What that means is it didn’t take much to actually go and put through the attack. Stuart McClure, a CEO of a cybersecurity firm brought in to help Sony, described that the first attack Sony had in 2011 was certainly not that advanced. being responsible for the attacks. It’s entirely possible the hackers were using the movie’s plot and the North Korean anger about the film as a cover, or possibly NK provided some sponsorship for the hackers. 11 Kovacs, citing Kenneth Bechtel, 2014 12 I previously wrote a paper on the 2011 Playstation Network intrusion, and came to the conclusion that Sony was lax about what exactly was occurring in their network and equally non-responsive when questioned what could have been done to prevent the attack.
  • 7. ““With the Playstation hacks, Anonymous didn’t use anything unique and were able to get in easily and stay a long time,” McClure said. “I got the impression that [Sony] executives didn’t care. Some basic technologies could have prevented a large part of this. This level of destruction of a company on American soil is unprecedented, but my 15 year-old could have written the code.””13 That doesn’t really say much about the current attack, but it sort of explains that Sony was not really attentive or even caring about the prior attack, a huge red flag to any investors and users of Sony’s products. Yet, McClure says later on, he believes that the current attack was not even a computer program, but something else. “McClure said that his research leads him to believe the breach was accomplished through some sort of social engineering, rather than by a computer program.”14 That’s not really much better than if it were to be through a computer program, as the end result is the same, but it more shows the naivety of the company towards actual protection. This, unfortunately, is another theme of those who are attacked. They go on the assumption that they don’t need to be careful to prevent anything sensitive from coming out. That makes some of the stuff released in the attack dump, downright laughable. “One striking thing to have emerged from the data that the Guardians of Peace have so far disseminated is the lack of security around passwords at Sony, including the revelation of an embarrassingly simple password CEO Michael Lynton was apparently using. It’s a clear sign that the company did not have sufficient corporation-wide password standards.”15 Not sure it can get worse than that, other than Sony doesn’t seem to have any desire to show any type of security protocols for their company. This is a terrifying proposition for consumers to face in this day and age. The third attack I found is even more terrifying. 13 Raile, 2014 14 Ibid 15 Ibid
  • 8. Not too long ago, everyone in America was required to have health insurance in order to offset the costs for medical procedures. Ideally, all of the managed health care providers would be immune to an attack due to the added customers AND due to the Health Insurance Portability and Accountability Act (HIPAA) having guidelines for what security is necessary for online transfers of health care information. Sadly, this wasn’t the case at Anthem Inc., one of the largest managed health care providers in the country. From late December 2014 to late January 2015, hackers managed to seize nearly 80 million customers’ Social Security numbers and other sensitive information from Anthem servers. The attack was unprecedented in the industry as it was the largest attack on a health care insurer in the United States. There is no answer as to who is behind it exactly, but there have been clues left to follow. “[Adam] Meyers said the breach fits the pattern of a hacking unit that Crowdstrike calls Deep Panda, which over the last several months has targeted both defense contractors and the health care industry. China appears to be putting together huge databases of individuals who might be intelligence targets, he said. Another example was the theft last year from a government agency of data on tens of thousands of employees who had applied for top-secret clearances, he said.”16 Once again, there is no actual answer as to who did it, but rather there is an answer as to what kind of group did it, one that is searching for a way to sell information. If the Chinese were indeed behind it, then the goal was for both trade secrets and espionage, just to figure out what America is up to. The worst part of the hack isn’t that it happened but rather it could have been prevented. All of the data stolen from Anthem’s servers were not well protected. “Health insurer Anthem says the hacked database containing the personal information of 80 16 Riley, 2015
  • 9. million people wasn't encrypted.”17 That’s a bit troubling. Why wasn’t this encrypted? “Under the federal Health Insurance Portability and Accountability Act (HIPAA), health insurance companies are not required to encrypt the data stored on their servers. The HIPAA ruling recommends using encryption if the health insurer believes it's an appropriate measure to mitigate risk. But lacking a specific requirement essentially leaves it up to each company to decide how to protect its data.”18 That makes it worse. A lot worse than just having a single company not follow guidelines to data encryption standards, but to have the company partially not at fault due to the security standard it is required to follow not actually fixing an ambiguous situation makes one wonder if it was an oversight or a complete unforeseen situation that nobody at Anthem or HIPAA even imagined. There could be a simple fix to this and it would be through encryption of data as a mandatory requirement. Nicolas Terry, a law professor from the University of Indiana, mentions that the company would need to do individual assessment as to what needs encryption and what doesn’t. In addition, he mentions a change needed at HIPAA “As I have argued elsewhere, if healthcare entities fail to encrypt given the current environment (and the risk of extremely serious HIPAA sanctions if the assessment is flawed or poorly documented) maybe the Security Rule should be amended to require encryption.”19 It will be interesting to see if HIPAA does do this, or at least correct the gaping hole they currently have in letting the individual companies decide upon what encryption they feel is enough. It’s better for someone outside to also be able to figure out what security would be enough. All of the above breaches, and others not mentioned, seem to stem from a misuse or lack of knowledge of proper security procedures for the data involved. It almost feels 17 Whitney, 2015 18 Ibid 19 Terry, 2015
  • 10. as if people seem to understate the value of the data contained on their servers up to the point where the data is no longer available or the data actually contains sensitive information that could cost the company money. Yes, money is the main reason that these companies do all that they do in terms of product sales and offers, but it is also the same aspect used when developing security, and that is to do the best job possible with the least amount of money needed to invest. Sadly for these companies, the option was chosen just to do the job for the least amount of money necessary and possibly not double check the configuration that they use for security so to have a 2nd opinion.20 In addition, if a company is not sure what attacks are being attempted on their sector, why not use a honeypot to “test the waters” and figure out what’s going on. “Now, when worms and attackers hit, they attack both your honeypot and your legitimate web server. Because your honeypot has no legitimate uses you can quickly identify the attack traffic and use that information to build better defenses.”21 It’s understandable though why companies wouldn’t utilize a honeypot if it were an expensive cash outlay. Then again, why would you take future funds away now if you could potentially solve a problem? This is where I feel the establishment of the NCSS or the NCSO will have it’s most useful purpose, in that it will establish a standard that is more direct than the prior organizations. I would liken it to a CERT but for commercial purposes and not necessarily a wide-scale spectrum. The goal of this organization is threefold. One: To reduce cost for configuration and setup of individual companies’ needs for security tools. Two: To monitor and track each of these configurations in order to determine attack 20 Not all opinions are useless. If you have a security expert available you should check with him to make sure that the configuration the company has is suitable. 21 Cole & Northcutt, 2013
  • 11. patterns and model honeypot systems off of the individual companies’ networks. Three: To push for changes in HIPAA and other monitoring organizations by focusing on trends and being proactive in determining future types of attacks. The main point of all of these goals is to tighten all of the bolts in the workings of security. I realize this is a very idealistic setup and not extremely practical or likely, but it needs to be kept as a goal to both aspire and work towards. Apparently I am 6 months late on my proposal as this isn’t something innovative. Steven Overly in October of 2014 wrote about the National Cybersecurity Center of Excellence in the metro Washington D.C. area and it’s aims. “The National Cybersecurity Center of Excellence in Rockville aims to solve one of cybersecurity’s toughest challenges: getting companies to speak honestly about the threats they face and the steps they’re taking to thwart them.”22 This is exactly what my proposal looks to do. Take down barriers in order to improve the security for everyone involved.23 Most companies hopefully will come to their senses and see this as a good opportunity with all of the security and data compromises occurring. The proposal though can have its counter arguments though. One of the biggest ones is that the companies still may not want to disclose what they feel are trade secrets to rival companies in the same field. Trade secrets and patents are definitely information that the third party company needs to keep confidential. The goal of the organization is to make sure the information is not leaked. If need be, the organization will utilize a generic file that mimics what the sensitive data is, and then use that to test it with 22 Overly, 2014 23 This would also solve a problem I had mentioned earlier regarding Sony’s lack of disclosure as to what caused the 2011 hack (or the 2014 one, for that matter), the NCSO will not disclose this information to the public, but will improve on the security lapses.
  • 12. different types of security protocols. The second problem that could arise is that there is no mandatory attendance. Thankfully, we are in a country where companies are allowed to pursue any endeavor they choose. Some may believe that going into a joint security group isn’t practical for them, or they want to deal with paying for their own security. That’s their choice. This would merely serve as an option for them if they want to collaborate on security details and find out where they can improve on their own design and share ideas that they have found to be effective. The final argument that could be raised is that the effectiveness of the security won’t be determined until it fails. What these people would be arguing is that it’s next to impossible to be proactive on security because you wouldn’t think of improving upon something so secure until it’s proven to not be secure. In truth, it is possible to be proactive in security if the proper methods are taken. If the organization as a whole chooses to test a new implementation against an SQL injection and puts it up as a honeypot, if the honeypot returns no breach then the implementation can be regarded as a success and will undergo more tests. If it’s seen as a failure, then it will be retooled or scrapped. Security isn’t something that can necessarily be bought, it has to be applied, tested and compared, no different than what R&D you would perform on a car in order to maximize power and fuel efficiency. Naysayers of the plan need to look no further then the growing trends in the industry and the world as a whole to see that cyber attacks are increasing in both frequency and magnitude. Even if companies do offer to check for things like credit monitoring for customers affected, one of the worst things they could do is announce how long the monitoring will occur for. “Criminals who get Social Security or health insurance account numbers have shown
  • 13. more sophistication than the average fraudster, said Pam Dixon, executive director of the World Privacy Forum. Rather than use the information right away, she said, some crooks will sit on Social Security or insurance files for a year or more before using them fraudulently. ‘‘What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent’’ about monitoring their accounts for fraud, she said.”24 I see it as basically giving an open door to the criminals by blatantly announcing this monitoring plan. I understand the reasoning, but it needs to be done more discretely. This is the art of security. It should be discrete enough so that the people inside of the company are aware of it’s presence and can feel safe about their information, yet also powerful enough to ward off any sort of external intrusion so that the hackers will have to try something else, or look for another target. It may not be feasible to believe that any sort of security organization can fully eliminate data breaches; after all, accidents and glitches happen. The NCSO though aims to mitigate as many attacks as possible, and this is the reason for it’s necessity in today’s fight in cybersecurity. 24 Murphy & Bailey, 2015
  • 14. Works Cited: • Cole, E., & Northcutt, S. (2013, n.d.). Security Laboratory. Retrieved April 27, 2015, from http://www.sans.edu/research/security-laboratory/article/honeypots- guide • D'Innocenizo, A., & Chapman, M. (2014, January 10). Target: Breach affected millions more customers. Retrieved April 18, 2015, from http://finance.yahoo.com/news/target-breach-affected-millions-more- 184807005.html • Kovacs, E. (2014, December 5). Industry Reactions to Devastating Sony Hack. Retrieved April 24, 2015, from http://www.securityweek.com/industry-reactions- devastating-sony-hack • Krebs, B. (2014, January 29). New Clues in the Target Breach. Retrieved April 23, 2015, from http://krebsonsecurity.com/2014/01/new-clues-in-the-target- breach/ • Krebs, B. (2014, January 15) A First Look at the Target Intrusion, Malware. Retrieved April 26, 2015, from http://krebsonsecurity.com/2014/01/a-first-look- at-the-target-intrusion-malware/ • Krebs, B. (2013, December 18). Sources: Target Investigating Data Breach. Retrieved April 25, 2015, from http://krebsonsecurity.com/2013/12/sources- target-investigating-data-breach/ • McCoy, K. (2013, December 27). Target confirms encrypted PIN data stolen. Retrieved April 19, 2015, from http://www.usatoday.com/story/money/business/2013/12/27/target-confirms- encrypted-pin-data-stolen/4219415/ • Murphy, T., & Bailey, B. (2015, February 6). Why hackers are targeting the medical sector - The Boston Globe. Retrieved April 17, 2015, from http://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting- medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html • Overly, S. (2014, October 12). Washington wants to become a hub for cybersecurity companies. Can it be done? Retrieved April 25, 2015, from http://www.washingtonpost.com/business/capitalbusiness/washington-wants-to- become-a-hub-for-cybersecurity-companies-can-it-be- done/2014/10/10/2ec43b54-4d77-11e4-babe-e91da079cb8a_story.html • Raile, D. (2014, December 21). Sony Hack Was Not All That Sophisticated, Cybersecurity Experts Say. Retrieved April 25, 2015, from
  • 15. http://www.billboard.com/articles/business/6413955/sony-security-kevin-mitnick- electronic-frontier • Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved April 15, 2015, from http://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical- controls-prevented-target-breach-35412 • Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Target Missed Warnings in Epic Hack of Credit Card Data. Retrieved April 26, 2015, from http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms- in-epic-hack-of-credit-card-data#p1 • Riley, M. (2015, February 5). Chinese State-Sponsored Hackers Suspected in Anthem Attack. Retrieved April 22, 2015, from http://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored- hackers-seen-in-anthem-attack • Terry, N. (2015, February 7). Bill of Health. Retrieved April 26, 2015, from http://blogs.law.harvard.edu/billofhealth/2015/02/07/time-for-a-healthcare-data- breach-review/ • Whitney, L. (2015, February 6). Anthem's stolen customer data not encrypted - CNET. Retrieved April 22, 2015, from http://www.cnet.com/news/anthems- hacked-customer-data-was-not-encrypted/