IT_Cutter_Publication

1. Fighting cyber crime in the US has made us ill-prepared to fight a cyber war. This may seem to be hyperbole, but it is most definitely not. Cyber crime has occupied much of our time and energy for (at least) the last 10 years. In response to the cyber crime threat, we have seen the passage of a HIPAA compliance mandate (April 2003), Sarbanes-Oxley (July 2002), and breach notification laws in 46 US states. We have seen the establishment of a plethora of information assurance programs in academia. We have seen investment in IT security climb despite economic hardship and the number of security vendors increase significantly. This would seem to make perfect sense, considering we have also seen losses per security incident climb into the hundreds of thousands of dollars on average and into the millions of dollars for specific incidents. What did all of that time and energy get us? It certainly got us organizations that spend a lot of time and energy on compliance. It got us organizations that are thinking about bad guys stealing information. But, in our opinion, it did not get us organizations that are thinking about enemies trying to destroy the American way of life. There are fundamental differences between cyber crime and cyber war. The megatrend triad of cloud computing, mobile computing, and consumerization will only make the situation worse. That said, all is not lost. As we will discuss, there are things we can do today to prepare for a cyber war tomorrow. (Please note that while this article is written from a US perspective, the observations and recommendations are broadly applic- able in countries where the legislative, industrial, law enforcement, and academic apparatuses are similar.) WHAT IS CYBER CRIME? As we noted above, cyber crime has been a focus for the last decade at least. But what exactly do we mean when we talk about cyber crime? In the broadest sense, cyber crime is the use of technology to break the law. Larceny, extortion, identity theft, fraud, and corporate espionage can obviously be committed in the cyber realm, as can stalking, bullying, slander, and libel. Worldwide cyber crime has passed the drug trade as the number one criminal moneymaker, and it is easy to see why. The ubiquity and anonymity provided by the Internet emboldens cyber criminals and makes it difficult to recognize, investigate, assess, or prevent their crimes. Law enforcement agencies grapple with insufficient training, limited resources, multiple juris- dictions, and legal remedies that are not yet fully formed. Prosecutors, judges, and policy makers struggle to understand and address the cyber realm, the cyber criminal, and their implications. To top it all off, corporations (don’t forget the banks) are pushing customers to the Internet in droves in order to save on brick-and- mortar expenses, effectively creating an even bigger pot of gold for cyber criminals to target. It is not surprising, then, that cyber criminals have gone from being hackers looking for honor badges by per- forming difficult penetrations to members of organized crime rings that are well organized, well funded, and determined. For a criminal, it is a whole lot easier (and safer) to sit at a desk somewhere trying to hack into a corporate system than it is to pilot a boat full of cocaine through international waters in the dead of night. The growing technological interconnectedness of our assets (money, identity, intellectual property, etc.) is not likely to slow — nor, consequently, is cyber crime. WHAT HAVE WE DONE ABOUT IT? Although the picture we have painted may seem quite gloomy, a lot of effort has gone into addressing cyber crime in all of its forms. As far back as 1976, when Donn B. Parker wrote Crime by Computer,1 there was a recognition that computer abuse was possible and increasing markedly. Parker forewarned the next gen- eration of computer users that abusers would commit offenses on a fearsome level. And in 1984, the American Bar Association (ABA) conducted a survey with 283 ©2011 Cutter Information LLCCUTTER IT JOURNAL May 201118 Taking Our Eyes Off the Ball: Has Fighting Cyber Crime in the US Left Us Ill-Prepared for Cyber War? by Jeffrey A. Ingalsbe, Dan Shoemaker, Nancy R. Mead, and Wesley Meier KNOW YOUR ADVERSARY

2. 19Get The Cutter Edge free: www.cutter.com Vol. 24, No. 5 CUTTER IT JOURNAL private organizations and public agencies. It found that 24% of respondents had experienced computer crime, with losses ranging from US $145 million to $730 million, so the problem was already large.2 Since that time, government, industry, and law enforcement have not been idle. In 1986, the US Congress passed the Computer Crime and Abuse Act. Beginning in 2002, state breach notification laws came on the scene, followed by Sarbanes-Oxley and HIPAA. In the late 1990s under President Clinton, again in 2003 under President Bush, and again in 2009 under President Obama, the US government undertook strategic reviews of the path toward securing cyberspace. Each of these assessments made findings and outlined proposals that were strikingly similar, and each resulted in efforts to do things such as increase cooperation between governmental agencies; promote partnerships between government, industry, and academia; and elevate awareness across the country. The US–Computer Emergency Readiness Team (US–CERT), National Security Agency (NSA), and Department of Homeland Security (DHS) Centers of Academic Excellence are examples of what has been put in place. At the end of the first decade of the 21st century, it seems that — despite governmental rhetoric about the security of the national infrastructure — the “adversary” is a cyber criminal who wants our personally identifiable information (PII), our financial information, and our medical information. How have corporations responded to the cyber crime threat? In the late 1990s they saw the “Melissa” and “I Love You” viruses and established IT security groups (yes, one person can be a “group”). The first order of business was getting control of corporate endpoints by using standard loads and antivirus software. Then they tried to get things like incident response and forensics in place. These were served up centrally and had an information assurance focus. Next, they moved on to securing applications and infrastructure. Some security personnel used fear, uncertainty, and doubt (FUD) effectively to get funding. Yet they struggled to make progress and many times showed up just before launch or at a gate review and rendered their “opinion” on the security of the appli- cation or infrastructure. They took some abuse for this kind of behavior and now attempt to “play nice.” When Sarbanes-Oxley came around, security folks found that the threat of noncompliance is a better tool than the threat of a future breach from the hacker in the shad- ows, and they used it. Some organizations have availed themselves of opportunities to collaborate with federal government working groups launched in the last five years, such as the DHS’s Software Assurance Working Groups.3 Some realized that a feedback loop from the IT security group to the developers and architects is a valuable thing, and they instituted software assurance processes. Most did not. It seems that because of the way compliance fear and pressures to deliver new content have influenced organizations, the “adversary” is a cyber criminal who wants our corporate intellectual property, our financial information, our medical information, and our customers’ PII. For their part, law enforcement agencies have attempted to get their arms around cyber crime and have had a degree of success. At the local, county, and state levels, there is some cooperation that has helped build regional crime labs (mostly focused on forensics) across the US. However, on average there is less than a handful per state. Each jurisdiction seems to address only a piece of the cyber crime pie. For example, state cyber crime personnel might focus on fraud and identity theft, while county cyber crime personnel might focus on online predators, and local personnel focus on something else altogether. In addition, law enforcement personnel have faced difficulties on several fronts. Resources (people and equipment) are hard to fund given the tough economic times. Even when funding is available, it is difficult to find qualified officers. Training is scarce and expensive. Education is even more expensive and takes several years. When police forces are unionized, cyber security staffing becomes tougher still. The officer with the high- est seniority must get the cyber security job even when more qualified officers are available. All that being said, there are qualified law enforcement officers out there trying to solve cyber crimes, and we need more, many more. Here the “adversary” is a cyber criminal that is defined by the particular law enforcement agency you are talking with. WHAT HAS ALL THIS EFFORT GOTTEN US? We are now in a situation where government, corporations, academia, and law enforcement have each developed an understanding of cyber crime and the adversary (a cyber criminal) based on their individual Law enforcement personnel have faced difficulties on several fronts. Resources are hard to fund given the tough economic times.

3. ©2011 Cutter Information LLCCUTTER IT JOURNAL May 201120 contexts. While we have certainly worked hard on most fronts, it can’t be said that we have always worked smart. Furthermore, as we have attempted to get a handle on cyber crime, the world has changed around us. The Internet is pervasive. Mobility and interconnectedness have grown at phenomenal rates. Even security industry stalwart RSA has been breached, making us question our most fundamental assumptions. The cyber crime threat landscape has gotten worse faster than we have grown competencies to address it. WHAT IS COMING NEXT? Are the same forces going to be exerting themselves on our organizations tomorrow? Of course they are. The Internet is not going to get smaller or be less connected. The number of devices connected to the Internet, their power, and the traffic they generate are not going to decrease. The amount of buying, selling, and banking that occurs online will not decrease. The interconnectedness of businesses and governments will not decrease. In fact, all of these things will increase significantly in the short term. The only question is whether the growth will continue on the same path as it is now or whether something new will change things. We submit that there are three megatrends that will move us into a state that is worse than the situation we have today. Cloud computing, smart devices, and consumerization (using consumer devices for business purposes) will present serious challenges to organizations as they try to address cyber crime. Cloud computing offers elastic, just-in-time services without infrastructure overhead. However, visibility and control are compromised. Organizations will have a difficult time answering questions such as “Where, exactly, is my data?” and “Is this forensic copy of my data reliable?” Smart devices offer integrated computing power and connectivity. This allows personnel to perform complex tasks while not physically at work and without WiFi connectivity. However, endpoint control and security are compromised, and smart devices don’t yet have the computing power to handle the same kinds of security tools as laptops. Consumerization offers productivity gains and reduction in support costs. This allows a company to transfer a portion of the cost of ownership of endpoints to employees. However, endpoint control and the organization’s perimeter are, again, compromised. Here is a set of (somewhat cynical) predictions. Organizations will move to the cloud en masse without a full understanding of the risks. The decisions will be driven primarily by cost. Organizations will allow smart devices to connect to their corporate network under the guise of productivity gains without a full understanding of the risks. The decisions will be driven by a desire to be seen as playing nice. Organizations will allow consumerization to unduly influence computing policy and purchases. The decisions will be driven by a desire to lure top talent into employment. Cloud computing, smart devices, and consumerization will undo the work that has been done over the last 10 years to understand where corporate assets are and keep them safe. WHAT IS CYBER WAR AND HOW IS IT DIFFERENT? Enter cyber war. Cyber war is not a subtle nuance of cyber crime. It is something entirely different. Former US counterterrorism official Richard A. Clarke defines cyber war as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”4 He believes that our leaders do not understand the seriousness of the threat that faces them. Security analyst Richard Stiennon5 concurs but thinks the war has already begun. Both agree that the tools to wage cyber war are available, the avenues of attack already exist, and nations have already had cyber skirmishes (whether those are part of the cyber war or not). In 2008, Russia knocked out Georgia’s government computers before launching a physical attack on that country — an incident that certainly qualifies as cyber warfare. Distributed denial of service attacks against South Korea in 2009 and 2011 qualify as well. Stiennon would say that hackers nab- bing source code for Google’s single sign-on system also falls under the category of cyber warfare. But more than any other incident to date, the 2010 Stuxnet worm — a complex, well-thought-out, multistaged, and targeted attack on industrial controls equipment (primarily in Iran) — should be considered the quintessential cyber war attack and a harbinger of things to come. At first glance, cyber war might seem like cyber crime committed by another country, but that definition falls short. There are several fundamental differences between cyber crime and cyber war. First, cyber crime is parasitic in nature. Cyber criminals are parasites that feed off a food supply that they do not want inter- rupted. Cyber war is destructive in nature. It demands Furthermore, as we have attempted to get a handle on cyber crime, the world has changed around us.

4. 21Get The Cutter Edge free: www.cutter.com Vol. 24, No. 5 CUTTER IT JOURNAL defeat at whatever cost. Second, cyber crime requires a return on investment. Cyber criminals will not spend endless amounts of time on malware or hacks if there is no revenue stream. Therefore, the targets they choose and the ways in which they choose to compromise them will be determined by the monetary gain of the compromise amortized over the time it takes to acquire the pot of gold. Cyber war, on the other hand, does not require a return on investment. Cyber soldiers can spend as long as it takes to develop malware or hacks for a target. The targets they choose will be determined by the damage that will be inflicted on the country that owns the target. In short, cyber soldiers will attack different targets in different ways taking as much time as needed. Cyber criminals will attack targets that can be turned into money. SO WHAT? Why does this differentiation between cyber crime and cyber war matter? Isn’t a slight repurposing of personnel or a slight redefinition of processes all that is required to address cyber war? Haven’t we built up competencies fighting cyber crime that can be applied fighting cyber war? These questions require some discussion. Ideally, when organizations address the cyber security of their assets, they must begin by identifying those assets. This is not a trivial task, and it requires agree- ment among all stakeholders. Then stakeholders must come to an understanding of how those assets are accessed, transformed, and transported inside and between software-intensive systems. Cross-functional teams of technical, business, and legal personnel will then identify, analyze, and rank threats to those assets. Finally, mitigations are proposed, analyzed, and adopted. This systematic process is called “threat modeling,” and while it has gained popularity over the last several years, it is not yet widely performed. In our experience, assets are defined as money, personal information, and processes that manage money and personal information. Threats are identified by asking questions like “Who would want to know or alter this information?” Mitigations are adjustments to processes and systems that are identified by looking at legal and regulatory guidance, industry best practices, and cost. Assets, adversaries, and adjustments are currently defined in the context of cyber crime. We would argue that they must be defined in a larger context that includes cyber war. Assets are what we value. They speak to our lifestyle, our culture, and our identity. They are not simply Social Security numbers and dollar bills. Therefore, we need to alter the definition of assets to include all of the things we value. Adversaries are all those who would seek to harm our assets. They are not simply cyber criminals or cyber thugs seeking financial gain. Sun Tzu sheds light on the importance of understanding your adversary: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. — The Art of War Adjustments are things that we change in order to make it impossible (or less likely) for a threat to be realized. Once we truly understand our assets and our adversaries, we can make decisions using equations (metaphorically speaking) that weight variables accord- ing both cyber crime and cyber war. We have spent the better part of the last 35 years getting to know an enemy we call a cyber criminal. We have organized departments, enacted legislation, trained personnel, and launched initiatives with the intent of pro- tecting things of value from the cyber criminal. We are in an environment that increasingly favors the cyber adversary (more devices on the Internet, more interconnectedness between those devices, more business and financial transactions online, more treasure in the cloud and on personal devices, and more porous network boundaries around everything). We can barely stave off the cyber criminal; how will we deal with a cyber soldier? Is all hope lost? No, all hope is not lost. We have developed a lot of skills over the last few decades that can be repurposed for the task. To show how these capabilities can be brought to bear, we will close with some concrete recommendations. Conduct Threat Modeling If you haven’t already, begin threat modeling. If you already conduct threat modeling, then adjust your perspective to think about assets, adversaries, and adjustments in a new way. This will require a significant amount of work, and getting buy-in at the executive level will require some homework and some luck.

5. ©2011 Cutter Information LLCCUTTER IT JOURNAL May 201122 Depending on the threat modeling methodology you use, there are three things that may need to change from the way you would traditionally proceed: 1. Consider cyber soldiers as actors. For example, include at least one nation-state actor and an ideological extremist actor. Think through their possible motivations, means, and competencies. 2. Think through scenarios that involve the destruction of large portions of your organization. For example, what if your heating and cooling system was hacked over a weekend? What would be destroyed? How long would it take to recover? Would it affect your market position? 3. Include disaster recovery/business continuity personnel. Disaster recovery and business continuity staff are not typically part of the threat modeling process because stealing rather than destroying has been the focus. This needs to change. Reallocate Your Security Resources Every company needs to assess the organization of its IT security organization and realign it so that no more than 25% of the resources are allocated to compliance (e.g., policy development, process development, audits). Twenty-five percent of the resources should be allocated to reactive activities (e.g., incident response, forensics). Forty-five percent of the resources should be allocated to proactive activities (e.g., engineering, project guidance, ethical hacking, feedback loops). Five percent of the resources should be allocated to relationship building (e.g., internal relationships with the legal group and external relationships with government, academia, and industry groups). Before you email to tell us activities we “forgot,” please note that these numbers are intended as a guide. The organizations we have talked with have allocated 60%-75% of their resources to compliance, 20%-30% of their resources to reactive activities, 5%-10% of their resources to proactive activities, and no resources at all to relationship building. Create a Cyber Strategy Team All CISOs need to put together an organizational team that will develop strategies to address cyber war, assets, adversaries, and adjustments. One member of the team, with authority, must be tasked with the ongoing adjustment of the strategy, the establishment of collaborative relationships with outside organizations, and the development of objectives to support the strategy. While this could be a yearly exercise, there must be a mechanism for monitoring the external environment and convening sessions to address urgent adjustments. This should not be simply an addition of a line item on a middle manager’s yearly objectives. It must be a serious, funded, supported effort. Organizations that have mature information assurance capabilities may find changing their focus and refactoring their processes difficult because they are well established. However, such organizations will benefit from the fact that they already have funded resources to apply. Make Collaboration Happen Government, academia, industry, and law enforcement must make a significantly better effort to cooperate and collaborate. This should include international participa- tion. The entire globe has been struggling with these issues, and there is much to learn from successes and failures both inside and outside the US. ENDNOTES 1 Parker, Donn B. Crime by Computer. Scribner, 1976. 2 “Report on Computer Crime — Task Force on Computer Crime.” American Bar Association Criminal Justice Section, 1984. 3 There are seven such working groups in total: Workforce Education & Training, Processes & Practices, Technology Tools & Product Evaluation, Acquisition & Outsourcing, Measurement, Business Case, and Malware. 4 Clarke, Richard A. Cyber War: The Next Threat to National Security and What to Do About It. Ecco, 2010. 5 Stiennon, Richard. Surviving Cyber War. Government Institutes, 2010. Government, academia, industry, and law enforcement must make a significantly better effort to cooperate and collaborate.

6. 23Get The Cutter Edge free: www.cutter.com Vol. 24, No. 5 CUTTER IT JOURNAL Jeffrey A. Ingalsbe is a Department Chair at the University of Detroit Mercy in the Center for Cyber Security and Intelligence Studies, where he teaches, among other things, ethical hacking and incident response (master’s level). Mr. Ingalsbe directs a state-of-the-art cyber security lab, where students gain real-world competencies through exploration of cyber security problems. Until recently, he managed the IT security consulting group at Ford Motor Company, where he was involved in IS solutions for the enterprise, consumerization exploration, threat modeling efforts, and strategic security research. He holds a BSEE degree from Michigan Technological University and an MSCIS degree from the University of Detroit Mercy. He is currently working on a PhD in information systems engineering at the University of Michigan–Dearborn. Mr. Ingalsbe can be reached at ingalsja@udmercy.edu. Dan Shoemaker is the Director of the Institute for Cyber Security Studies, a National Security Agency (NSA) Center of Academic Excellence, at the University of Detroit Mercy (UDM). Dr. Shoemaker is a well-known speaker and writer in the area of cyber security. He is a professor at UDM, where he has been the Chair of the computer and information systems program since 1985. He is also a visiting professor in cyber security at London Southbank University in the UK. His Ph.D. is from the University of Michigan in Ann Arbor. Dr. Shoemaker is Co-Chair of the Workforce Training and Education working group for the secure software assurance initiative within the US Department of Homeland Security’s National Cyber Security Division (NCSD). He is one of the earliest academic partic- ipants in the development of software engineering as a discipline, starting at the SEI in fall 1987. He is the coauthor of McGraw-Hill’s best-selling book on cyber security, Information Assurance for the Enterprise. He is also a prolific writer and speaker on cyber security topics across the nation. Dr. Shoemaker can be reached at dshoemaker1@twmi.rr.com. Nancy R. Mead is a senior member of the technical staff in the Networked Systems Survivability (NSS) Program at the SEI. Dr. Mead is also a faculty member in the master of software engineering and master of information systems management programs at Carnegie Mellon University. She is currently involved in the study of secure systems engineering and the development of professional infrastructure for software engineers. Dr. Mead served as team lead for the ini- tial Build Security In (BSI) website development and launch and later served as technical lead on the project. She also served as Director of Education for the SEI from 1991 to 1994. Mead has more than 100 publications and invited presentations and has a biographical citation in Who’s Who in America. She is a Fellow of IEEE and the IEEE Computer Society and a member of the ACM. Dr. Mead can be reached at nrm@sei.cmu.edu. Wesley J. Meier is a graduate business and computer and information systems student at the University of Detroit Mercy (UDM). He serves as a graduate assistant for the College of Business Administration and Decision Sciences Department, is the President of the College of Business Administration’s Graduate Student Advisory Board, and is also a member of the President’s Council. Mr. Meier is a founding student member of the Global Jesuit Business Student Association Honor Society as well as Alpha Iota Delta, the International Honor Society in the Decision Sciences and Information Systems. He received his MBA from UDM in 2010. Mr. Meier can be reached at wesley.meier@gmail.com.

IT_Cutter_Publication

Esté a ler uma amostra.

Confira estes a seguir

IT_Cutter_Publication

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (10)

Semelhante a IT_Cutter_Publication (20)