Information Assurance News Chum

As you’ve probably figured by now, I enjoy looking at the news and saving away articles for you. This morning (I’m not at work this week), a theme has emerged in the saved articles — computer security. So here are three articles related to my chosen field:

  • From the “Can They Afford It? Can They Afford Not To?” Department: The Sacramento Bee is reporting that the state of California has received $4.7 million in federal funds for cyber security projects and a statewide digital mapping system to improve emergency incident management. According to California’s CIO, this includes $2.35 million for her information security division to conduct a statewide cyber security risk assessment. California’s information security office is also getting $1.35 million for the domain name system project, which involves upgrading the technology behind state Web sites and communication addressing. The office will use its final $1 million to help Cal EMA develop geographic information systems (GIS) maps of critical infrastructure and other key locations statewide, such as command centers, shelters, vulnerable populations and gathering locations, to improve emergency responses statewide.

    My opinion: Of course, given my hobby website and what I do for a living, my dream has been that Caltrans would come to the ranch and contract us to do computer security for them. This isn’t quite that, but it is a good thing to see some funds going to secure California’s information infrastructure. Of course, they seem to only be using the funds for part of the problem: the engineering side of things. They need to learn from Caltrans, and remember that a large part of this is focusing on educating state employees and enforcing policies. I would also love to see California join the reciprocity movement and move to the use of the NIST 800-37/800-53 process.

  • From the “Cyber Year in Review” Department: The San Francisco Chronicle has a nice piece that looks back at the computer security attacks over the year. The article notes that, while the year didn’t see many technological leaps in the techniques employed, there was continued expansion of the reach of attacks to every corner of the Internet by leveraging social media, infiltrating trusted Web sites, and crafting more convincing and tailored scams. It noted that one of the most preoccupying trends was personalized attacks designed to steal small and medium business owners’ online banking credentials, and that the tactics changed only in the victims they targeted and their level of sophistication. The research director at SANS noted that criminals shifted the focus of their tactics from developing attack techniques to improving the social engineering of their scams. The article noted that it has become a common tactic for scammers to hijack Facebook accounts and post malicious links, or to hijack third-party applications such as PDF files and Flash animations. The article is well worth reading for the summary of attacks and the awareness it creates.

    My opinion: For many years I have been talking about applying traffic safety’s Four Es to Computer Security. This article makes clear the importance of that: we’ve been focusing on the engineering aspects of things, and neglecting the education. We need to be teaching about checking URLs and not trusting posted links. We need to have policies that enforce patch application so exploitable machines are closed quickly. This part isn’t rocket science (and I know rocket science, so trust me).

  • From the “Why It Works” Department: St. Louis Today has an interesting article on Spam, and why it is growing. The article reports on a study that shows that 50% of Internet users have opened e-mail they thought was spam, and of those, 12% did it because they were interested in the product. Now, suppose a small percentage of those respond to the ad. Given the millions upon millions of Internet users, and that ads up to a large response rate… for a small investment in an Internet connection, an email account, and a list of email addresses. In short, you invest under $500, and can get back multiple times that amount for even a small response. So do you wonder why an estimated 85% to 97% of all email is spam? We get spam because it works. The article does a good job of separating the good from the bad bulk emailers, from indicating why spam is so hard to stop, and provides some good tips to protect yourself.

    My opinion: Spam, like its paper counterpart, does have a minor use: it shows your email system is working, almost like a carrier wave. But that doesn’t really justify its cost in network traffic, annoyance, and risk. Yes, risk. Just as a number of people don’t recognize spam and open the email, some of this spam contains malicious links, and a small but significant percentage click on them… and the botnets spread. Unlike its paper couterpart, which you can safely read, spam can be much more dangerous. This goes back to the education point of the previous bullet.

Three very interesting articles, and three articles that demonstrate a significant shift in awareness that happened in 2009 (and in fact, over the last decade): computer security has gone mainstream, and has entered public awareness. Expertise in securing systems has grown in importance, and I think that the next decade will see the further growth in awareness that we must do something, that we must have awareness. Again, the analogy with traffic is proving apt: in the early days of driving, licenses weren’t necessary: the only people injured on the roads were those that did it to themselves. As the good roads and public roads movement grew, the need for traffic laws and enforcement grew along with the need for better engineered roads and emergency response. Similarly, as the Internet has become mainstream, Joe Q. User needs to be aware of the rules for safe use of the Internet and of the traffic laws.