Skip to main content

Cyber Security Part I - (Cyber) War on Terror

This is the first in a five part series covering cyber security.  Each Monday, Infosec Professional will focus on many of the key aspects of cyber security, from government lead strategic defences, right through to individual consumer level protection.  Any device that connects to the internet is now a potential target, with the motives now becoming political, as control of the information highway becomes paramount.

US government security expert Richard A. Clarke, in his book Cyber War (May 2010), defines "cyberwarfare", as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption".  This initial sentence is paraphrased straight from Wikipedia, but could just as well have come from a sci-fi movie of the mid 1980's.  Cyber war is no longer an imaginary concept, cocooned in the realms of laser gun protection and x-ray vision.  It's an everyday occurrence, impacting governments, corporate enterprise and individuals.


Motives

Internet security in the past has mainly been focused on protecting privately held assets (namely web, FTP and email servers) from being hacked.  Hackers would come in various different guises from the script kiddies learning to code, with ideas they'd learnt that day at college, right through to 'hacktervists', aiming to make a mark for themselves by defacing a newspaper or corporate website.  Today, attacks cover a range of motives.  Cash can be a main driver, especially behind many of the sophisticated consumer focused malware attacks.  Ransomware has recently hit the headlines, hitting individuals with cash release clauses in order to return laptops and files in working order.  Online banking and financial services customers, have long time been hit by email phishing and attempts to deceive individuals of their username and password details.  The main goal? Cash.  Either through fraud of direct transfer, money has been the aim for the armies of complex botnet operators.

The motive has advanced however, to a more country lead level and is now comfortably embedded in the toolbox of military weapons.  Last week US Defence Secretary Leon Panetta, said the cyber attack capability from countries like Iran was growing, and that US authorities believed that Iran was behind several attacks on oil and gas companies in the Persian Gulf.  The main motive is to cause disruption.  Disruption causes panic and destabilisation and ultimately acts as a propaganda tool to show who really is in control of a particular asset or environment.

Targets

In early October, the Pentagon confirmed that they themselves were on the receiving end of a cyber attack.  The White House would not confirm reports that the attack originated in China, but did describe the incident as a 'spear-fishing' attempt.

The ongoing political isolation between the United States and Iran, has left many arguing that the recent attacks on US government assets, are a direct retaliation for the monetary sanctions currently imposed on Iran.

Conversely, the powerful Stuxnet worm found in 2010, which primarily focused on the Siemens SCADA infrastructure within the Iran nuclear enrichment plants, was originally developed with nation-state support, with many speculating Israeli backing.

The subtly and remote nature of cyber warfare, makes it's development seem natural, in a time when political tensions are rising either due economic changes or the charge for democracy.  

The main targets generally seem to be the major infrastructure installations.  As disruption and denial-of-service seem to be the name of the game, water, electricity and communications infrastructure would seem to have the biggest impact on a nations general well being.

From a communications perspective, the aspect can be more subtle.  Only last week did a US House of Representatives Intelligence Committee directive, report that dealings with Chinese telecoms supplier Huawei, should be banned.  The UK, Australia and Canada are looking to create similar intelligence reports, against a network provider that has invested over £150m in the UK telecoms backbone in the last 10 years.  Whilst a direct attack has not been acknowledged, the gathering of intellectual property and clandestine scanning of network traffic would be a major concern.

Government Lead Defence

The last 3 years has seen some significant strategic steps being taken by several governments, when it comes to cyber security defence and offence.

In 2009, the US formed USCYBERCOM, a department of defence initiative to protect the military's information networks.  Also in 2009, Howard Schmidt took the role of cyber security co-ordinator and advisor to the Obama administration.  Although he retired from the role this year, it earmarked a new beginning in cyber security management, research and defence.

From a UK perspective, GCHQ performs in a similar vain to the US's National Security Agency and has recently announced a new research capability, with partnerships with several top UK universities.  The partnerships aim to make it easier for businesses, individuals and government to take informed decisions about how to implement better cyber protection measures.

China too has recently released a new policy outlining it's approach to IT in general and how to counteract and defend against online attacks.

Whilst the cost of attacks (and indeed the readiness for organisations and governments to acknowledge being the victim of an attack), is largely unknown, many institutions are putting in place infrastructure, personnel and policies to allow attack and defence mechanisms based on internet resources to take place.

@SimonMoffatt


Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…