Multiple countries are now discussing the need to establish a comprehensive cyber protection program given the continued increase in the threat of cyber attacks and cyber warfare. The attack on Estonia and the more recent attack on Georgia are being viewed as the harbinger of what is to come. I was recently asked what might a comprehensive Cyber Protection Program (CPP) look like. So I thought I would put down my top ten areas that I think would be critical to include in a CPP.
1. Mandatory requirement to have up-to-date protection software on any device connecting to the Internet that includes:
-
a. Anti-Virus
-
b. Anti-Spyware
-
c. Anti-Malwared.
-
d. Anti-Adware
This software will automatically upload attack data to a central reporting center.
2. Mandatory isolating capability on every system with high processing capabilities and a firewall on every device connecting to the Internet with the following functionality.
-
a. Cannot be disabled other than for a few seconds
-
b. Has pre-configuration for mandatory protection
-
c. Automatically uploads attack data to a central reporting center
-
d. Automatic disconnection when massive outbound DDoS traffic from compromised computer systems is detected
3. Legislation mandating software vendors comply with the following:
a. Report to authorities within 24 hours of discovery malware software vulnerabilities
b. Minimum security testing requirements that must be met prior to release of any software program.
4. Criminal laws specifically addressing the unique characteristics of cyber attacks, malicious code and system compromise including language that addresses the threat of DDos attacks.
5. Criminal laws specifically addressing the development and sale of cyber weapons.
6. Criminal and civil laws that address organizations who fail to immediately report cyber attacks or data breaches that include those who destroy evidence of cyber attacks, systems compromise and data theft.
7. Establishment of a quasi government/business entity that coordinates defensive and protective capabilities of the information infrastructure. This would also include a cyber attack and threat alerting system.
8. Establishing an Intelligence Center that is charged with cyber intelligence collection, analysis, trend reporting as well as collaboration across the other intelligence agencies.
9. A federal cyber attack investigation unit that is the center of excellence and develops tools and techniques as well as works with all other agencies and law enforcement to dissect cyber attacks and malicious code and assist with investigations.
10. Implement within the federal cyber attack investigation unit a division that provides sufficient audit and control measures to ensure the laws are being followed. The private sector has already proven self governance is unreliable to ensure adherence to the protection necessary for cyber defense.
Now I know there will be many comments about “big brother” and “big government,” but given what has taken place thus far, I am not sure we have any other choice. It is deeply concerning that 85 percent of organizations have admitted they have had systems and data breaches. A significantly smaller number have actually reported them in accordance with the 40 data breach notification laws that are currently in place.
An improperly protected computer or other device connected to the Internet is a cyber weapon waiting to be loaded and used.
A good, comprehensive list. Okay, immediate thoughts that spring to mind:
1/2: Centralised repositories for uploading attack data. If I were attempting to compromise a device or a network, that would be the first place I would look to take out of the loop, much like the priority of removing malware’s “phone home” capabilities to prevent any further potential data leaks while cleaning it up on a system. Any thoughts you’d care to share on hardening such a reporting mechanism?
5: Given that a number of “cyber weapons” are essentially weaponised security tools, I’d be rather concerned about throwing out the baby with the bathwater in terms of such legislation. I’m uncomfortable with the thought that merely possessing a useful tool will be criminalised. We definitely need legislators who have security expertise or good access to it, as I’m sure you will agree.
As a comment on your “big brother” point, I feel it’s important than any standards and provisions for software in such a system are formed as part of an open standard (albeit federally tested, verified and certified — no proprietary “black box” developments). Otherwise there’s too much of a chance that some lobbyist on the hill could attempt to turn a useful trusted computing paradigm into a vendor lock-in monopoly which would not serve anyone’s best interests.
Officers & Directors of most companies aren’t familiar enough with stuff like this to authorize it in their budgets; IT Managers are sometimes gutless, and aren’t willing to press for it. I’ve seen this, first-hand. Unless you come-down on a company with the fire of Sarbanes-Oxley, you will get minimal results, despite your best intentions.
Maybe you’d get a few high-schoolers arrested for having directional antennas, WiFi adapters that support Promiscuous Mode, and BackTrack-equipped USB keys.
This level of regulation, however excellent on paper, would be counter-productive if written and enforced by the wrong minds.
How about a rule for wireless connections? Wireless is the most unsecure connection type available. And not just for the office, what about home?
I read once that these guys would get the home addresses of executive users and “war drive” their homes. They would sit outside their homes with wifi laptops and see if they could access the exec’s home network. Many times the home networks had no security enabled at all…
Training the employees to look out for social engineering attacks would also be a huge priority. In 18 years of computer support I have only been challenged twice when asking for a user’s password. Also many employees assume that if you are inside the facility, you belong there. I was unescorted 98% of the time on a clients site and have only been challenged when walking through a facility 3 times in 18 years. Two of the challenges were at a single location.
During these times when every company is making cut backs, many lobbies are not even manned anymore. Turn off live network connections in ungaurded lobbies. One penetration testing company bypassed a very high end firewall by simply connecting a wifi router to a live jack in an unprotected lobby. Then they taped “IT department do not remove” on the router. They then could sit in the parking lot and have access to the network.
Just some thoughts.
Part one sections a — d could be solved with a different OS (Solaris, Linux, BSD, OS X, etc…) Security is a weakest link, why does “evil”-ware still exist when we know what the weak link is…
Part three, Legislation that mandates software testing and vulnerability. What about open source software… Who is the vendor. Who gets the lawsuit?
Part five, cyber weapon. Uhhh what’s that? Give me a 486 with an internet connection is that a “cyber weapon”. Are nmap, nc, dig, ping, nessus, all cyber weapons? Careful with laws and definitions our we will outlaw the “series of tubes”.
LOVE part 10. Where do I put in the job application that would be a fun team to work for “IF” properly funded.
OPEN SOURCE
Open source is a very small part of the overall market. I was focusing on the 80% in the Posting. That being said we do need to address the Open Source issue. My Idea on open source consists of two parts.
Part 1
The author must certify they have tested to whatever they post to a certain standard.
Part 2
The organization that chooses to use open source must certify they have tested the software to a certain standard.
So both the authors and the users share in the responsibility for Open Source
Kevin,
On the firewall side, I know a lot of companies use Checkpoint.
The founder and CEO, Gil Shwed, is a former member of Israeli intelligence, Unit 8200. I always figured once an intelligence officer, always an intelligence officer. Could this possibly be a national security issue?
Don’t get me wrong, I love Israel, but spooks making security devices always makes me nervous.
Solid advice, all around.
Military pages that have forums/specops discussions should be kicked of WAN/VOIP etc…
They always hack people!
That’s OK!But take a closer look following link,It’s great to DVD and PSP
converter for mac!
http://www.macdvdripper.org
http://www.macdvdripper.org/mac-dvd-ripper-suite.html
http://www.macdvdripper.org/mac-dvd-converter-suite.html
http://www.macdvdripper.org/mac-dvd-copy.html
http://www.macdvdripper.org/mac-dvd-creator.html
http://www.macdvdripper.org/mac-dvd-to-ipod-converter.html
http://www.macdvdripper.org/mac-dvd-to-iphone-converter.html
http://www.macdvdripper.org/mac-dvd-to-mp4-converter.html
http://www.macdvdripper.org/mac-dvd-to-apple-tv-converter.html
http://www.macdvdripper.org/mac-dvd-to-psp-converter.html
http://www.macdvdripper.org/mac-dvd-to-blackberry-converter.html
http://www.macdvdripper.org/mac-dvd-audio-ripper.html
http://www.macdvdripper.org/how-to-edit-dvd-trim-video-crop-take-effects.html
http://www.vobconvertermac.com/,
http://www.vobconvertermac.com/vob-to-ipod-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-apple-tv-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-psp-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-mpeg4-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-m4v-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-3gp-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-mpg-converter-for-mac.html
http://www.vobconvertermac.com/vob-to-avi-converter-for-mac.html