The dogmas of the quiet past are inadequate to the stormy present.  The occasion is piled high with difficulty, and we must rise with the occasion.  As our case is new, so we must think anew and act anew.

-   Abraham Lincoln

I happened to catch an NBC story about Chinese hacking concerns:  They mentioned that a recent Washington Post report indicated that Chinese hackers had stolen information on more than two dozen U.S. weapons systems, to include the Patriot Missile system and the F35 Joint Strike fighter

After setting the background of hacks from nation states, the NBC report went on to note that in the emerging world of cyber warfare, it’s not just governments that pose large threats.  A Newsweek cover story “You’re Being Hacked,” quotes a ‘security analyst’ (in the NBC report’s words), who is quoted as saying:

“…a single individual is very capable of waging cyber war at a level we previously attributed only to intelligence agencies or crime syndicates.”

I.T. Wars made this point back in 2006, believe it or not.  What we’re talking about here is asymmetrical threat and force:  A single individual – vs. an entire country, for example.   Consider this extract and treatment from the book’s last chapter:

__________

Terror Attack:  Today, possibilities of comprehensive national catastrophe (to any nation) are no longer in the realm of Science Fiction, or held in abeyance through MAD (Mutually Assured Destruction, as during the Cold War).  We face extremely large harm from asymmetrical sources:  Sources that are weaker than their opponents in conventional terms.  They can’t compete through strength in numbers:  neither by membership; number of conventional arms; or even in the numbers of their sympathizers.  Their goals can be anathema to the vast majority.

But these asymmetric forces’ business and objectives (that which they’ll do, in support of their desired outcomes, respectively) are as strong as they can possibly be.  In fact, their business trumps any concern for survival of any specific individual of their own.  And, their objectives include the stated destruction of whole societies.  We must realize too, that with these groups, an effective internal check-and-balance on unreasonable actions diminishes rapidly as the size of the considered group diminishes.

However, tremendous will – even infinite will – means nothing without some form of power.  Today, power is moving closer – closing a divide – with this tremendous will of the relative few.  Soon, if not now, weapons representing delivery of catastrophic harm will be available to the few – no matter how vile their agenda, no matter how onerous their task in procurement.  Our argument here is not the specific “who” – that is not necessary in setting the awareness.  For the present, we can emphasize a keen awareness that asymmetric attack forces are closing a divide: Until recently, the achievement of their objectives was denied because of the simple divide between their will to dispense widespread destruction, and their means to do it.

It is reasonable to assume that once closing a divide between will and means, a complete dedication to “business” will be paired with extraordinarily damaging “technology.”  One group or another will “pull the trigger” once closing this divide.

[Extract, I.T. WARS, Ch. 21 - What's At Stake:  Lessons of the Business-Technology Weave, Copyright 2006 BookSurge Publishing]

______________

Hacking, and cyber warfare, by individuals certainly represents power and weaponry in the hands of the few.

Now, pair that extract with some BTW articles from earlier this year:  Seek out the ones that discuss hacking for sport, whereby a single individual takes down a company, or a bank, or a government agency’s ability to conduct its mission – for sport… and bragging rights.  Also consider the Competitor Hack (CH), first defined and branded here at BTW, whereby a single individual, either rogue or with company sanction, decides to disable a competitor by hacking into their business systems and bringing them down.  More here.

Once again, I like to propose solutions, and can refer the reader to my treatment of Disaster Awareness, Preparedness, Recovery (DAPR) -  vs. standard Disaster Recovery (DR).

It’s interesting to note that the general mainstream press and consciousness is catching up to warnings, concepts, and (hopefully) solutions that I debuted years ago, and again I refer interested readers to the concept of DAPR – it is a defined discipline whose time has come.

NP:  Herbie Mann at the Village Gate, 1961.  Check it.

First, recognize that social engineering is the biggest factor in personal breaches and matters of identity theft; the “grooming” of folks, getting them used to clicking on offers as distributed in e-mail, and even through social networking sites.  Children can be especially vulnerable.

Oftentimes job offers, or “You’ve won!” scenarios, have templates for fill-in.  If you’re not careful you, or perhaps children in your household, may end up divulging name, address, date-of-birth, and other highly sensitive information.

Be wary too of targeting that meets areas of your interest, yet is unsolicited.  Scammers rake social media websites and glean all sorts of info.  Avoid following your curiosity when assessing any unsolicited electronic contact with you, or your household.

Here are some tips – share them with younger people too:

1. Encrypt your home wireless network, for those that have them, and pay attention to security setups on iPads; iPhones; Androids; laptops; desktops, etc.  There are innumerable cases where people use others’ networks for the propagation of crimes – especially within large apartment houses and condominiums.
2. Generate strong passwords – forget pet’s names; tricks like reversal of D-o-B.  Use long passwords – consider 25 characters or more, as crazy as that sounds.  Many can be stored anyway.  The main liability with storage is, if you access an account on a device other than the one with stored password(s), you either may not remember it/them, or you’ll have quite a chore typing it/them in.  But the extra security is worth it – algorithms now can hack just about any password, but if a program takes too long trying to crack yours, it’s more efficient to move on to a more vulnerable one.  You can also use password generators/randomizers – just Google for that if you’re not familiar with the concept.
3. Update your anti-virus/malware programs regularly; set these to do auto-updates in background where possible.
4. Turn on personal firewalls.  Search Help for “personal firewall” – check to see what’s available in your operating system.
5. Consider using an Identity Protection program.
6. Seek recommendations from your workplace:  If you can check with your IT department, see if they have any suggestions for home protections.

Of course, on that last one, a good IT department will survey the user population for personal/corporate tethers anyway, and will perform their due dililgence in sewing shut this area of liability.  But, it’s good to solicit advice and updates anyway, as things can get overlooked quite easily, even in these terms.

Stay safe out there.

Well… I’ve frequently spoken about a new agility being necessary for organizations, and their subsequent ability to mount new security initiatives quickly, in response to fast-changing threats.  Happily, tomorrow, I’ll have an interview with the author of the book, “A to XP: The Agile ABC Book.”  Agile, as a discipline and a business process management practice, serves the threat landscape well:  It applies where the unpredictable is common; and where business processes cannot change quickly enough for necessary business practices.

But that’s tomorrow – back to mainstream awareness:  There’s a growing unease amongst the general populace regarding cyber attack, cyber terror, cyber war… and just hacks in general…  a burgeoning awareness.  There can perhaps be no better indicator of any particular thing’s ubiquitous nature than its inclusion to Late Night television fare.

The other evening, on “Late Night with Jimmy Fallon” (NBC), Fallon mounted a joke that shows just how mainstream cyber awareness has become:

“This is scary -  a new report shows that Chinese hackers could one day take out America’s power supply.  Or as that’s also known:  Pulling a ‘Beyonce.’”

This is an obvious reference to the recent power outage at the Super Bowl, and speculation that Beyonce’s half-time show taxed the stadium’s or region’s power capabilities, perhaps overloading equipment… or something like that.  (Whatever was the cause, they obviously need new, comprehensive, backup plans and systems).

But the awareness grows:  It’s now in the comic; economic; personal; and military realms:  General Jack Keane, former Vice Chief of Staff of the U.S. Army, and now a Fox News military analyst, states that the U.S. is “the best” when it comes to things such as hacking, cyber espionage, and related activities; that Russia is second; and that China is third.  However, according to him, China is “by far the most prolific,” stating that thousands of the People’s Liberation Army (PLA) members engage in cyber hacking daily, further assisted by civilian hackers and contractors – penetrating thousands of U.S. companies.

They have penetrated political, economic, and military intelligence realms, stealing related intellectual property – thus stealing technology and innovation to use in advancing their own economic interests.

At the same time, another far more local challenge exists:  Retail Cyber Attacks.  Retailers are targets of 45%  of all computer hacker attacks in 2012.  There are an estimated 79 successful cyber attacks a week on U.S. businesses.

36% of all targeted cyber attacks in the U.S. are aimed at small businesses.  Those are the very ones that cannot afford robust, up-to-the-minute, protections.  They also can’t afford to be without them.  A dichotomy.

Hand-in-hand with hacking go the flourishing underground industries that bundle together customer information; addresses; credit card numbers; PINs, and such, and utilize them – or sell them to other crime syndicates.

Consider:  A Subway breach had a compromise of data involving 80,000 customers:  Unauthorized transactions were made for 3 years on that data.

So we find that what’s turning out to be an omnipresent awareness for cyber vulnerabilities must be paired with a new agility:  Tomorrow, Ms. Karen Spencer will share with us her thoughts on Agile, as contained in her book.

Further, a tweet indicated that “the whopper flopped” and that BK had thus been sold to McDonald’s.  Several other tweets contained obscenities.

It’s not clear who hacked BK’s account, and I am not implying that it was a “competitor hack” (that is, it was not likely initiated by McDonald’s, or any potential rogue employee of that firm – although the Hamburglar’s criminal tendencies are well-established).

However, this hack has to fit squarely into one of two realms, and it provides a nice entrée to some new definitions for an evolving threat landscape.  Let’s create the concept of a “branded hack” that is unique to this forum – branded hacks that will be handles for discussion, and which will hopefully propagate for ease-of-discussion at orgs, with vendors, with media, etc.:  1)  Competitor-Hack (CH), and  2) Hack-at-Random (HaR).  This is a good opportunity to define these two types of hacks, for purpose of establishing exactly “where we are” in 2013, in getting to where we need to go – these definitions will likely evolve a bit:

New Definitions for New Realities

Competitor-Hack (CH):  This is a directed hack by a business competitor, with a business motivation:  The purpose of disrupting the competition’s ability to conduct competing business through harm to enablements (data, infrastructure, apps, etc.), or to cause damage to any specific competitor’s reputation (such as false Tweets, implanting of false content, false business positions, etc.).  These CHs can include political motivations, and political targets – they include any orgs and/or individuals who compete on some plane.

Hack-at-Random (HaR):  This is an attack that has more of a mischievous spirit as motivator.  Motivators can include humor, bragging rights, or even the preference of Big Macs over Whoppers, or Whoppers over Big Macs – but generally speaking, the people mounting these are not employees or formal representatives of the organizations in question – they are people who mount trouble for sport and fun.

Recognize this:  In discussing cybersecurity a few articles ago, as contained in this post, and as indicated in another post’s matrix, I mentioned that organizations would have to guard against CHs from business competitors.  I also debuted the concept of HaR.  It is easy enough for me to envision these things coming, as immodest as that may sound:  In the realm of risk, unmanaged possibilities become probabilities.

It is easy enough to see that risk is being compounded by three fundamental things that are being driven to everyone:

1)       Power

2)      Affordability

3)      Capability

Ever-more power, affordability, and capability are being driven to very modest “players” and devices.

Ever-more robust hacking tools will be available on rogue “gaming” sites, and the business and sport of hacking is going to explode.  Watch for it – and be positioned to guard against it.

The various BizSecs will have their work cut out for them.  Hacks-at-Random (HAR) will become a nuisance at minimum; a business-ender at maximum.  Nefarious mischief makers will take down organizations for sport.  Those orgs that do not maintain the most forward-edge, vigilant, protections will be victims:  That is simply how it will be.  Organizations will also openly discuss potential cyber attack from larger forces, for sized and proportioned positionings (We’ll be discussing these, and how to get positioned, in upcoming posts).

Perhaps an early sign of new awarenesses and realities concerning cyber and related securities will be the end of above ground electrical grid considerations.  Watch for “telephone poles” to disappear in the coming decade – at least in certain areas, particularly Washington, DC.

Wires and related infrastructure will go into underground, hopefully EMP-proof, conduits.

A corresponding example is potent:  After recent hurricanes, there were calls for the burying of electrical lines and cables – when you think about it, above-ground lines, poles and towers seem positively archaic – they’re so “last century.”  In fact, above ground infrastructure does date back to the very beginning of the last century – and it is quite plainly woefully out-of-date.

Placing this infrastructure underground removes the liability of damage and disablement from weather; such as hurricanes, or just high winds (any corresponding consideration of risk from earthquakes is offset by the fact that above-ground poles would likely fall anyway – and earthquake damage will simply require cleanup and reconstitution of infrastructure as normally performed).

A comprehensive plan to protect lines through a grid of underground conduits should be a national plan, much like the interstate highway system was.

This project and progression is already being discussed within the Federal government.

NP:  Talk is Cheap, Keith Richards, original LP

Outside:  What are the modern organization’s possible contributions to surrounding outside public enablements and related security there?  [Think:  electrical grid; communications; infrastructure such as roads, etc.]

Inside:  What are your new requirements concerning internal controls and security measures?  [Think:  Malware comprehensiveness and timeliness; firewalls; education, etc.]

In advancing the discussion, recognize that any modern organization with reliance on electronic enablements, applications, processing, content, and the dynamic flow of information, is vulnerable due to both outside liabilities, and inside liabilities.  But further, the organization will face threat with two other distinct characteristics.  There will be national threats (originating outside) that impact inside – and there will be local threats, also with corresponding inside impacts.  Further, there will be your own inside perils, due to deficiencies, deliberate harm, or human error.  We can evolve the following matrix over time for a more comprehensive understanding… and for the taking of appropriate (affordable) action:

Nation-states:  The organization is vulnerable to national threats, as delivered by outside nation-states, both formal ones such as China, as well as virtual “nations” of thought or philosophy or action, such as al-Qaeda.

If you believe the “local” organization – that is, yours – is not susceptible to large cyber threats… read on…

It’s been reported recently that the President of the United States could order a pre-emptive cyber strike if a major cyber plot was detected and deemed credible.  We’re talking about a cyber plot as mounted against the U.S. by a foreign and hostile country or entity.  (In fact, tonight’s (2-12-13) State of the Union address is going to contain mention of cyberwar as a national threat).

This reportage is not in the context of President Obama potentially ordering, or considering, such a strike:  Rather, this was a discussion for the legalities of any president, now or future, for ordering such a strike.  In other words, a general legal and Constitutional question, and potentials for action.  In this regard, The National Intelligence Estimate, considered the intelligence community’s most authoritative document, has been updated and is commissioned to focus on cyber security, with special focus on Iran, North Korea, and China.

Orgs close for inclement weather – will they close for inclement cyber conditions?

So, we’re plowing new ground – and, like it or not, considerations of large-scale cyberwarfare will come to the organization much as considerations of weather do (such as when to close early, when to close entirely, who makes those determinations, etc.)  Consider:  Will there come a day when a specific national or regional CyberThreat is deemed so high that specific geographic areas are advised to shut down computer systems, in order to take them offline and to remove their vulnerability until the threat is successfully resolved?  Computers, critical content, access to apps, and the dynamic flow of information, are necessary to virtually everything we do today:  Banking, commerce, travel, education.  Technical enablements sustain our power grid; any damage to that cascades to critical areas mentioned in the last few articles here.  If national or regional authorities believe some measure of systems supporting the power grid are in a window of vulnerability, might local power “go out” for a period of time?  (Much as it does following a bad storm).

So what are the boundaries by which we can execute cyber operations?  How “preemptive” are we permitted to be?  Former CIA deputy director John McLaughlin says that this is a “new arena, a new frontier, where people can move with stealth, agility, and invisibly.”

The difficult part of “invisibility” is that an enemy can attack, cause great harm, and escape liability or penalty, which in-turn makes it difficult for the attackee to respond, and to mount protection from continued attacks.  See how the removal of a MAD scenario exacerbates the threat (one article down, or here).

As to perils to the local organization, we’re already seeing large, private, high-profile targets being hit:  The New York Times said Chinese hackers had compromised their computers, stealing employee passwords a few weeks ago.  Same for the Washington Post and Wall Street Journal, as they reported similar incidents.

Twitter recently said that 250,000 accounts may have been compromised.  A breach at the Department of Energy came to light when employees were notified that servers had been compromised at their headquarters.  There have been numerous denial-of-service attacks on U.S. banks.

Large, high-profile, organizations and their associated vulnerabilities are pretty well understood inside of those orgs.  But what of small-to-medium business?  SMB is particularly vulnerable.  But beyond nation-states wreaking large-scale harm, SMB faces both inside and outside threats.  Where are their meager resources best-leveraged?

Understanding the problem will advance our discussion in the coming days…

Of course, there’s the nuclear component, and concomitant fear.  But hopefully the MAD policy still provides some measure of protection:  Mutually Assured Destruction.  In MAD, the theory is that if the U.S. or any country and its allies find that their forward-sensing intelligence probes have noted a missile launch, they could then launch their own volley toward the aggressor – each’s missiles traversing and crossing to their respective destinations and  -

BOOM! –  both countries would lose – so why start?

But things aren’t quite so clear with cyberwarfare.  Malware can wreak its destructive vengeance, and then clean up after itself! – hiding its originating trail.  Removed is a certain MAD component, opening the way for all sorts of attacks – perhaps… and it’s not just peril from large-scale wars between countries:  Let’s not forget or discount another cyberwar possibility:  In the future, who’s to say that simple business competitors might not unleash a cyberattack against companies in their market?  It is foolish to discount this possibility.  It may already have happened.

Let’s also consider a recent event:  One minute you’re enjoying a game, the next, half the stadium is dark.  Ok, I’m not a conspiracy theorist, but I couldn’t resist a poke at the recent Super Bowl lighting problem.  Now that many of us have thought about it, though, it well could have been a (relatively harmless) test-hack performed by a country.  For that matter, it could have been a kid in his bedroom.   Nah.  Still…

Here in America over the past couple decades, the Pentagon and a few intelligence agencies have shared power in deploying cyberweapons.  I believe the actual “trigger” for this deployment required Presidential authorization.  The highest profile cyber attack was, perhaps, the strike on Iran’s computer systems that run their nuclear enrichment facilities.  However, we ain’t seen nothin’ yet as far as cyberwarfare’s actual potential.  Potentials of cyberwarfare cannot be ignored – countries not only must safeguard against it; they must envision their use of it (sadly), in staying competitive on the modern, virtual, battlefield – in tandem with the physical one.  And, cyberwar’s yield is hardly just virtual:  For example, removing any measure of a country’s electrical grid would yield catastrophic “real-world” results -

Imagine:  disrupting computers controlling train travel; resultant derailments, to include not only direct crash-related deaths, but the release of toxic chemicals due to crashes.  Attacks on water treatment plants, causing illness and death.  Crashing of the power grid; homes and businesses without power; rotting food, lack of potable water.  Entire industries idle.  Disruption of major media, and critical denial of wartime information, and what to do in terms of safety.  Removal of power would also inhibit basic 911-type emergency response –prioritizations of emergency activity would revert to “line of sight.”   The list can go on and on…

Let this be a call to government and private sector/innovator alike:  We need hardening of critical key infrastructure, and the securing of all electronic enablements.  We must begin building to “cyberproof” standards… or at least, make the best attempt.

In the coming days, we’ll examine what the emerging responsibilities are for organizations:  Your “local” scope of responsibilities and duties is fairly clear, and hopefully covered in your Security, Acceptable Use, and related policies and plans…

So, vis-a-vis cyberwarfare:

Outside:  What are the modern organization’s possible contributions to surrounding public enablements and related security there?

Inside:  What are your new requirements concerning internal controls and security measures?  Stay tuned…

NP:  Gerry Mulligan Meets Stan Getz, original LP, Verve, MG V – 8249

Beyond the sole-harming event type of experience, the insertion and ongoing residency of malware has to be considered.  This represents a particularly gnarly problem, because ongoing control regarding systems can be manifested – and it may continue in the absence of an organization’s knowledge for quite some time – until various harming incidents stack up, or an accrual of thefts occur, until they gain a profile that bites hard enough to be noticed.

Resident malware can execute its code for particular outcomes, and recognition of these helps to monitor for them.  In the next days, we’ll take a look at three basic types of malware:

Nuisance (perhaps delivering marketing-oriented spam, or provide for spying, etc.)

Controlling (to provide “back door” access, or takeover of systems by remote control)

Destructive (perhaps to destroy data, or plant false content, to harm reputation of the host.  Destruction can also be used to remove evidence of intrusion).

NP:  Joshua Redmond; Freedom in the Groove

- Exploration, or scouting, for potential targets: Breaching entities here are searching for networks and systems that have vulnerabilities. These vulnerabilities can include easily breached or guessed authenticating credentials, outdated and susceptible software, and missing or misconfigurated settings for both software and hardware. Recognize that in addition to hard, empirical, soft spots – such as easily hacked firewalls or default/too-simple login credentials, there is the liability of simple human failing. This is going to include an exploration for naiveté regarding phishing; that is, fraudulent e-mails that solicit sensitive data by posing as legitimate enterprise e-mail/authority. Also pharming, whereby fraudulent websites that pose as legitimate partnering/enhancing entities can glean registration, and thus make solicitation of sensitive data. Be aware too that once an outside entity establishes a relationship, any manner of “legitimate” download can be recommended and thus penetration made.

- Taking stock goes hand-in-hand with exploration, in expanding the knowledge gained regarding vulnerabilities. Correlation of known bugs regarding the software surveyed during exploration happens. Human error can be paired with what that person has access to, and breaching entities can then reference other people and specific knowledge in looking legitimate to others… climbing a ladder of access, into ever more rarified and sensitive circles…

- Penetration can be for any of the purposes mentioned in the day’s prior article, but also it can be to perpetrate simple Denial-of-Service (DoS) attacks, which will not only render networks and sites inoperable, but can also crash business reputation.

Next: The introduction of malware to the environment…

Most people think of cyber crime as identity theft, for purpose of stealing money from online accounts, or perhaps in order to pose as someone else online for whatever reason.  Cyber bullying comes to many people’s minds  That, and outright “hacks” into systems by breaching electronic perimeter defenses, and then exploiting whatever resources are within for the taking.

But there are a number of other nuances.  Routine “spam” is bothersome, but spam also incentivizes other cyber-crime.  Disseminators of spam aren’t particularly interested in paying for their own processing, broadband, and propagation means and infrastructures – and that’s where you (the individual or organization) comes in.  If you’re insecure enough (from a systems and security perspective) to host, automate, and blast spam, then there are plenty of entities out there surveying for you and your associated vulnerabilities.

Credit fraud is big.  A simple keystroke monitor can glean your, or an organization’s, credit card number and authenticating credentials – and away they go.  Recognize that your SSN, address, bank account numbers, and all manner of other info and online accounts can be breached.  Ouch.

There’s also the use of networks and resources for piracy, and the illegal transfer of data and information.  You don’t want your company’s resources used for illegally passing music transfers, or other copyrighted material, for example.  Nor do you or your organization want to be in the middle of electronic money laundering operations or tax evasion schemes.

Certainly government agencies are aware of cyber-terrorism, which can involve access for theft of secrets, flooding and disabling of critical systems, and breakage of systems through intrusion of malware.  Too, false-information can replace legitimate content, confusing those people who rely on these sites for best information, best practices, and  thus there is the subsequent hindering of allied cooperation between supporting/reinforcing agencies.

In 2013 and beyond, the stakes are too high to ignore the first step toward best-security postures:  Modern Awareness.

For our first take-away in this series, recognize that Everyone with online presence should be a Security Officer of sorts.  So, next, we’ll get to an awareness for both individuals and orgs.