While U.S. Secretary of Defense Leon Panetta did some silicon saber-rattling last week by raising the prospect of a preemptive strike against cyberattacks, he also delivered a wake-up call to Wall Street and Congress about cybersecurity.
Panetta’s message to the business leaders gathered at a meeting in New York of the Business Executives for National Security was very clear, according to Booz Allen Hamilton Senior Vice President Roger Cressey.
“You’ve had all these cyberattacks on the U.S. financial industry over the past month,” he told TechNewsWorld. “You all need to pay attention that these were not just run-of-the-mill attacks by a group of disenfranchised youth or cybercriminals.”
“There is a different level of complexity and capability associated with these attacks,” he added.
Panetta’s grave remarks about the nation’s cybersecurity also sent a message to Congress that they need to act on key legislation in that area.
“I think he was lobbying for legislation or at least an executive order to make the process for extracting information from ISPs easier,” Richard Stiennon, chief research analyst at IT-Harvest, told TechNewsWorld. “To me, that’s the underlying motivation for the speech.”
Something must be done, said Cressey. “The secretary is making the point that if we do not solve this, then we’ll be left much like 9/11. The warning signs were there, we didn’t pay attention and we suffered terribly.”
Nationality Not Only Huawei Problem
Chinese telecommunication equipment maker Huawei Technologies cried foul last week when a congressional committee released a report advising U.S. companies not to buy hardware from the firm for national security reasons.
Huawei contended that the members of the committee were just trying to exploit anti-Chinese sentiment in the United States., but one security analyst maintains that Huawei’s problems are deeper than its country of origin.
Although the Chinese company claims that its equipment is as secure as its competitors in other nations, there are vulnerabilities in their hardware that date back to to the 1990s, according to Ira Victor, a digital forensics analyst with Data Clone Labs. “It’s widely known how to breach those vulnerabilities,” he told TechNewsWorld.
Concerns have been raised about back doors being planted in Huawei hardware that would be bought by U.S. companies. “Who needs a back door?” Victor asked.”There a front doors you can walk through in this equipment.”
“Huawei’s claim that their security is in alignment with their competitors’ does not hold water, in my opinion,” he added.
Half of Enterprises Unaware of Attack
More than half of enterprises are unaware that they’re infected with an Advanced Persistent Threat, warned Tom Kellermann, vice president of cybersecurity for Trend Micro.
That’s not surprising because APTs, which are commonly associated with cyberespionage mounted by nation-states, are devilishly designed to remain under the radar of even the most sophisticated threat detection systems. What is surprising is the proliferation of the malware into enterprises of every size.
“What we’ve seen in the last two years is the commoditization of this type of tactical phenomenon,” Kellermann told TechNewsWorld. “Organized criminals as well as cybermercenaries are now deploying these types of digital insider-targeted attacks within corporate systems as well as individual systems.”
“What used to be a phenomenon that was specific to major nation-states is now being used by organized crime and criminals,” he continued, “and they’re so clandestine in how they deposit these things in your system that 55 percent of organizations didn’t even know that they had these back-door beacons in their systems.”
That has led to an explosion of APT attacks, he maintained. “The cyberunderground, or the shadow economy, has begun to automate the processes for these APT campaigns, which used to be the monopoly of governments, and has begun to incorporate them into their crimeware and criminal enterprises,” he added.
- Oct. 9: Ponemon Institute reports that 48 percent of IT practitioners in the UK say that sensitive personal data contained in their company’s databases and applications has been compromised or stolen by a malicious insider. The survey also revealed that 59 percent of the IT workers confessed that they are not confident that they would be able to detect the unintentional loss or theft of sensitive personal information contained in databases or applications in the production environment.
- Oct. 10: The Florida Department of Education reveals that personal information for about 279,000 students and employees at Northwest Florida State College was compromised in a data breach that occurred between May 21 and Sept. 24. Information included names, birth dates, employee direct deposit bank routing and account number information, and Social Security numbers.
- Oct. 10: A study by Philadelphia-based NetDiligence of 137 cyberliability insurance policy claims between 2009 and 2011 estimates the average cost per data breach to be $3.7 million.
- Oct. 11: Korn/Ferry International, one of the world’s largest recruitment and executive search firms, disclosed that its computer systems had been compromised by an Advanced Persistent Threat (APT) for an unspecified amount of time. The firm did not say how many individuals or records were exposed, but it added that it had no knowledge of any misuse of any information that may have been compromised.
- Oct. 11: Lewiston (Maine) Sun Journal reports TD Bank told the state attorney general in a letter dated Oct. 5 at 35,000 Maine residents had their personal information — including Social Security and bank account numbers — compromised in a data breach at the bank in March.
- Oct. 11: Rep. Duncan Hunter (R-Calif.) sends letter to Army Secretary John McHugh complaining that the Army has been slow to inform 31 soldiers, or their families, who received the Medal of Honor or the Distinguished Service Cross of the data breach that resulted in the medal winners’ Social Security numbers being posted online.
Upcoming Security Events
- Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
- Oct. 18:Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Standard, $395 (by Oct. 17).
- Oct. 18: NAC-As-A-Service: What, Why and How. 12 noon ET. Webcast. Sponsored by ForeScout Technologies.
- Oct. 18: Defensive Tools Workshop: ModSecurity Quick-Start Overview. 3 p.m. ET. Black Hat webcast. Free. Sponsored by FireEye.
- Oct. 20-21: Ruxcon 2012. Melborne, Australia. Registration: AUS$350.
- Oct. 21-24: FS-ISAC Summit. Lansdowne Resort, Leesburg, Va. Limited to actual financial services practitioners. registration ranges from US$165-$1750.
- Oct. 22-23: Cybersecurity Conference. Grand Hyatt, Washington, D.C. Managed by 1105 Media. Expo Admission: Free. Conference Registation: US$295 for government employees; US$495 for others.
- Oct. 22-25: eCrime 2012. El Conquistador Resort & Conference Center, Las Croabas, Puerto Rico. Sponsored by the Anti-Phishing Work Group (APWG). Registration US$575.
- Oct. 23: Exposing the Money Behind Malware. 2 p.m. ET. Webcast sponsored by Sophos. Free with registration.
- Oct. 25-31:Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.
- Nov. 3-6: Information Security Forum Annual World Congress. Chicago.
- Nov. 14: How to choose the right authenticator to meet the CJIS requirement for advanced authentication. 1-2 p.m. ET. Free webinar. Sponsored by Entrust.
- Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration is now open.
- Jan. 7-9:Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. sponsored by Oxford Computer Group. Early registration: $450. Registration after Nov. 21: $650.
Social MediaSee all Social Media