Obama’s cybersecurity plan gets cautious praise

The challenge will be to get various interests working together

Jaikumar Vijayan | http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133687  

May 29, 2009 (Computerworld) President Obama’s plan for securing cyberspace and his creation of a new White House cybersecurity coordinator are being greeted with cautious optimism within the security industry.

Many see the strategy as a sign of the administration’s willingness to recognize cyber threats as a national security issue. But until details are fleshed out, it’s hard to know just how far it will go in bolstering the nation’s ability to deal with cyber attacks, they said.

At a White House briefing, Obama described a five-pronged cybersecurity strategy for defending government, military and private sector networks against threats from what he said is a growing number of bad actors. He noted that the new cybersecurity coordinator will be responsible for pulling together a national strategy for securing American interests in cyberspace and stressed that the government would safeguard privacy concerns. (The new office will include a privacy officer.)

Obama’s proposals had been widely expected and are based on the recommendations from a government-wide review of cybersecurity undertaken at his behest by Melissa Hathaway, a former Bush administration aide who he appointed as acting senior director for cyberspace earlier this year.

“I was encouraged see that the [Hathaway] report got presidential support today — that’s critical to the success of any program,” said Patricia Titus, the one-time chief information security officer at the Transportation Security Administration (TSA) who now holds a similar job at Unisys Corp.

The challenge for the Obama Administration is to actually implement the proposals in a meaningful way, Titus said. A lot will depend on the relationships the new cybersecurity coordinator can build and the kind of influence he or she can exert across government and the private sector, she said.

While centralizing authority for cybersecurity matters in the White House can have benefits, care needs to be taken to maintain a balance of power, she said. “We need to make sure that no one is pushing the red panic button without making sure there are other individuals in the decision-making process and at the appropriate levels to get input from,” she said.

Obama did a “great job” of summarizing the cybersecurity threats the nation faces and the approach that’s needed to resolve them, said Scott Charbo, former deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security (DHS).

Especially encouraging is the president’s focus on setting specific milestones and on ensuring accountability within government, said Charbo, who is currently director of cybersecurity at Accenture. Obama’s apparent plan to give the new cybersecurity coordinator a greater say in ensuring that federal agencies are investing adequate resources on cybersecurity is also a very positive step, he said. But successfully moving forward on a White House-led cybersecurity effort will require a “cultural transformation” by government agencies.

“I think everyone is anxious to understand who the cybersecurity coordinator will be,” Charbo said. “It needs to be someone who can listen to new ideas. It needs to be someone who is focused on outcomes and on metrics.”

Ensuring that all of the right players are at the table when developing a national cybersecurity strategy will be key, added Billy O’Brien, former White House director of cybersecurity and communications systems policy. O’Brien is now an analyst at Deloitte.

To date, government officials, defense organizations and the DHS have all been working on disparate missions when it comes to cybersecurity. Getting everyone working together can be a challenge, he said.

The mission of the intelligence community, for instance, is to intercept an attack using the cyber infrastructure; the DHS is supposed to protect critical infrastructure; the Department of Defense has defense-and-attack authority; and the White House has coordination authority. The question that will need to be asked is whether “all of the right players are at the table or if there is a need to add more,” O’Brien said.

Also key: figuring out how to ensure that the private sector is “holding up [its] end of the deal” when it comes to the critical infrastructure in private hands, he said.

Enrique Salem, the CEO of Symantec Corp. , said in a statement that the decision to re-establish a strong White House role for cybersecurity is “gratifying.” The last executive to have a cybersecurity role in the executive offices of the president was Richard Clarke, who was special advisor on cybersecurity to President George W. Bush when he retired in 2003.

In the six years since, cyber security oversight and involvement has moved from the White House to other government agencies, even as cyber attacks have grown to the point where they are now a “full-blown threat to national security and commerce,” Salem said.

“The coordination must come from the White House level to address the situation and to provide focus on the global nature of this problem,” he said.

WASHINGTON (AP) — The United States has for too long failed to adequately protect the security of its computer networks, President Obama said Friday, announcing he will name a new cyber czar to take on the job.

Surrounded by a host of government officials, aides and corporate executives, Obama said this is a “transformational moment” for the country, where computer networks are probed and attacked millions of times a day.

“We’re not as prepared as we should be, as a government or as a country,” he said, calling cyber threats one of the most serious economic and military dangers the nation faces.

THE OVAL: Obama focuses on security in cyberspace

He said he will soon pick the person he wants to head up a new White House office of cyber security, and that person will report to the National Security Council as well as to the National Economic Council, in a nod to the importance of computers to the economy.

While the newly interconnected world offers great promise, Obama said it also presents significant peril as well. The president declared: “Cyberspace is real, and so is the risk that comes with it.”

Laying out a broad five-point plan, the president said the United States needs to provide the education required to keep pace with technology and attract and retain a cyber-savvy work force. He called for a new education campaign to raise public awareness of the challenges and threats related to cyber security.

He assured the business community, however, that the government will not dictate how private industry should tighten digital defenses.

Government officials have grown increasingly alarmed as U.S. computer networks are constantly assailed by attacks and scams, ranging from nuisance hacking to more nefarious probes and attacks, including suspicions of cyber espionage by other nations, such as China.

Obama noted that his own computer system for the presidential campaign at one point last year was compromised by hackers, but said the security of the names and financial information on contributors was intact.

Copyright 2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

US cybersecurity proposals upset lobby group

Worries about interfering feds.

Grant Gross, IDG News Service
05 May 2009 | http://www.techworld.com/security/news/index.cfm?newsID=115381

Recent cybersecurity legislation introduced in the US Congress seems to be creating a split in the tech community.

Some security vendors say new regulations may be necessary, while a major tech association said it has major concerns about the legislation, called the Cybersecurity Act.

The legislation, introduced April 1, would require US President Barack Obama to develop a national cybersecurity strategy, create cybersecurity standards that some private companies would have to follow, and allow the president to shut off Internet traffic to compromised federal and privately held networks that are part of the US critical infrastructure.

Those provisions of the bill raise major concerns with TechAmerica, a giant trade group that represents a wide range of technology companies, Phil Bond, president of the organisation, said Monday. There are parts of the bill TechAmerica supports, but giving federal officials the power to shut down private networks may be going too far, he said.

Granting such authority “requires a whole lot of discussion,” Bond said. “It gives us great pause to think a federal official would be able to shut down a private network.”

The bill, introduced by Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, also gives new cybersecurity authority to the US Department of Commerce, when some of that authority already exists elsewhere, said Liesyl Franz, vice president of information security program and global public policy at TechAmerica.

The bill would give the agency power to license and certify cybersecurity professionals, and TechAmerica has questions about how that would operate, she said.

The bill’s authors have indicated the legislation is a starting point for discussion, and TechAmerica will engage in that discussion, Bond said. Instead of new cybersecurity mandates, the government and other groups need to do more education about why private companies should invest in cybersecurity, TechAmerica officials said.

Some small companies still may not understand the need for cybersecurity measures or have the money to buy tools, Franz said. TechAmerica called for the US government to initiate a nationwide dialogue about cybersecurity, and the bill does include money for federal cybersecurity research and development and for regional cybersecurity centers.

The trade group could support some new regulation on a “case-by-case basis,” Bond added.

But just hours after the TechAmerica briefing, CEOs of two major cybersecurity vendors said some new regulation may be necessary. John Jack, president and CEO of Fortify Software, and Philippe Courtot, chairman and CEO of Qualys, both suggested the US government could come up with broad standards that private industry should follow.

The government should not mandate specific technologies but it could act as a “catalyst to show the way,” said Jack, speaking at the Fortify Leadership Summit in Washington, D.C.

The US government could also “elevate the bar” for IT vendors by enforcing security standards, but creating effective legislation would be difficult, Courtot added.

“The problem is that the technology is moving so fast,” he said. “It’s easy to say, it’s harder to do.”

Also speaking at the summit, former US Secretary of State Colin Powell urged cybersecurity vendors to secure data but not lock it down so tightly that it is useless. The US, in the wake of the 11 September terrorist attacks, locked down airplane travel and foreign visas so tightly that many foreign students were discouraged from coming to US universities, he said.

With IT security, organisations still need to use data. Cybersecurity needs to serve organisations’ operational needs, he said.

“We need to do security in a reasonable way,” Powell said.

This article was printed from Techworld : www.techworld.com
The UK’s infrastructure & network knowledge centre
© 2009 : All rights reserved

Good day to you,

On May 1^st 2009, TITSSN answered the call of providing a converged resource to address the needed online training, education, awareness and resources of the technology and security issues and challenges facing us today for tomorrow. As leaders in this field we understand the challenges being faced in dealing with the day to day management, learning and happenings of these threats and their impacts. While countries, companies and organizations are falling victims to these attacks, industries are suffering through the loss of revenue, privacy and productivity, and people are feeling and seeing the real effects of the real world we live in where the internet brings us together as a global connected network filled with valuable resources and resistance is futile, it is everywhere and is not going away.

We are still not seeing enough being done to educate people across the board and make them aware of these issues and their true impacts and so we’re taking the network to a higher level towards this initiative.

IT Security is a people problem, not an industry one and as such must be addressed effectively and accordingly.

So it is for this reason that we choose to build a social community to address these things together and to provide the training, education and awareness by the people who can speak of and about them at all levels, those who develop them, those who sell and support them, those who are out in the field fighting the good fight to prevent, mitigate and stop the growing rates of infections and compromises and those who want to learn more about being safer and secure together in one place. This is a work in progress and as we grow, so we’ll learn and so we’ll adjust to the need for changes. This is what we do on a daily basis as TITSSN continues to deliver its messages of security education, training and awareness now for a more secure future. We will be moving our operations into the social network immediately to help enhance the collaborative values, resources and functionalities.

The IT Security Suite Network’s Technology / IT Security Social Network is a place where people come together to create a vibrant, resourceful, strategic and secure social atmosphere of networking, training, education, awareness and collaboration for, on and about technology and securing them.

We invite you to participate in the full functions and features of our network as we build on it to enhance its values and mission for the future. We ask that you share the word with your associates, friends, peers and everyone that is interested in the world of security and being more comfortable and secure in it. This network is specifically geared towards technology, IT Security and everything in and about it.

The focus of this social network is to build greater education, awareness and provide the services and support needed to maintain the secure presence and stability of all infrastructures (homes, businesses (all sizes and types), schools, churches, etc) for all. Everyone is affected at all levels and so we must cultivate an open concerted atmosphere to address issues effectively.  We look forward to your participation in this effort as a leader, contributor, reader, advisor or just a member wanting to learn more. Please adhere to the policies and rules of the network so that all may find a common group to collaborate in.

The networks address is http://titssn.org.

Features include:

Real-time chats

Blogging

Audio/Video/Text IM

Discussion groups

Polls

Events calendar

Products/Solutions recommendations

Featured products, people, service providers

Our own publications (recommendations, best practices, guides, reports, findings and educational info)

And much more.

Discussions and groups that are up and running:

Application Security – developing secure applications and standards

Breach Notification Laws – country/state laws

Business to Business IT Security “BtBITS” – businesses protecting each other’s interests

Cloud Computing/Security – Issues, concerns, development, education and awareness

Computer Forensics – Data and Network

Cybersecurity – myths, issues, concerns, development, education and awareness

CyberWar – on, about, awareness, information, collaboration

Data Security – securing the data/information

DCITSUG – Washington DC IT Security Users Group

Emergency Security Response Program “ESRP”

Endpoint Security – What are they, why they are vulnerable and how to protect them

Hacking Unleashed – Ethical/Unethical – the world of hacking

I-CON Science and Technology Conference

Identity Theft – prevention, support and solutions

Incident Response – What happens when something goes wrong/bad?

IT/Security things/issues that make you paranoid

IT Security Best Practices – General

IT Security Facts and Myths

IT Security Leaders

IT Security Requests and Support

IT Security Service Providers ~ITSSP~

IT Security Training and Development – General

IT Security in our educational institutions – curriculum upgrade

Microsoft Small Business Server Security – Securing the server and components

Mobile Security – securing the mobile users/devices and they data they host

Managed Security Services Providers “MSSP”

NYeWin – New York Enterprise Windows Users Group

NYITSUG – New York IT Security Users Group

NYSBS – New York Small Business Server Users Group

Online Security – Securing your online experience

OWASP – Open Web Application Security Project

PAITSUG – Pennsylvania IT Security Users Group

PC Security at home

Perimeter Security – securing the perimeter

Physical Security – a critical part of your security model

Ready Rockaway – Disaster/Emergency Preparedness

Small Business IT Security – securing the small businesses

SPEAK – Security Professionals Engaged in Advanced Knowledge

Social Networkers United – the future belongs to us

Social Networking – security, trends, myths and best practices

TITSSN’s Adopt an Institution Program – ~AaIP~

TITSSN’s Code of Honor – Advocates for the future of professional Messaging

TITSSN’s Code of Honor – Advocates for the future of IT Security Education and Awareness

TITSSN’s ENGAGED ~ENabling Greater Awareness, Growth and Educational Development~

TITSSN’s General Network Members

TITSSN’s IT Security Community Outreach Program ~COP~

TITSSN’s IT Security Scholarship Program ~ITSSP~

TITSSN’s Secure Medical Protection Program ~SMPP~

TITSSN’s Secure Mobile Professionals Network ~SMPN~

TITSSN’s Secure Minds Initiative

TITSSN’s Small Medium Business IT Security Summit ~SMBITSS~

TITSSN’s Windows 7/Vista SP2/Windows Server 2008 SP2 Testing and Development Group

The Compliance Suite (Regulatory/Non Regulatory)

The Framsyn Initiative

The IT Security Threats Landscape ~TITSTL~

The Privacy Suite – it’s all about privacy

Viral Outbreaks – containment, response, prevention

Viral, Spyware, Malware Detection and Removal – the growing trends

Voices of IT Security

Wireless Security

Government Security Mandates, Protocols, Policies and Response

US – CERT – United States Computer Emergency Readiness Team

US – CIA – Central Intelligence Agency

US – DHS – Department of Homeland Security

US – FBI – Federal Bureau of Investigation

US – NSA – National Security Agency

These are just a few of the topics, issues and groups that are available as we start off on this journey together and when you join us, you too can add to what is there if there is something of interest that is missing.

We look forward to your support and we know this will be of great value for you.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché

This story appeared on Network World at http://www.networkworld.com/news/2009/042709-user-security-phishing.html  

New York State raises the bar for end user security training

New York State is extremely concerned about phishing in general, and more specifically spear phishing, highly targeted phishing attacks designed to penetrate organizations, government agencies and groups.

Read story about end user security training.

Beginning in 2005, the state Office of Cyber Security & Critical Infrastructure (NYS-CSCIC) along with the Anti-Phishing Working Group, AT&T, and the SANS Institute ran its first antiphishing pilot project.

The goal was to raise employee awareness of the danger of phishing scams and to provide employees with information to help protect themselves and the agency. The project was also designed to gain a better understanding of the effectiveness of security training.

Related Content

The first exercise was conducted with 10,000 end users who were unaware of the project. The first step was to distribute an informational bulletin alerting users to the perils of phishing and providing steps to take if they encounter malicious activity.

Next, the mock phishing scam exercise involved sending an e-mail to the group that appeared to be coming from a legitimate source, the agency’s Information Security Office, and contained a link to the NYS-CSCIC Web site that were instructed to visit to check the security of their password.

If they clicked on the link and attempted to type in their password they failed the test. While 17% followed the link, 15% of the e-mail recipients attempted to interact with the fake password form.

Click to see: Top 5 mistakes users make

Those individuals who passed the test received a congratulatory message; those who were duped were directed to a tutorial on how to be aware of phishing scams.

Another mock phishing exercise was conducted on the same employee audience two months later. The goal was to assess if they learned anything from the first exercise. This time, employees were sent an e-mail that appeared to come from the agency’s Help Desk with a subject line that read “Internet Connection Problems.”

The e-mail informed users of Internet connection outages because of a suspected cybersecurity event, and contained a link to a dummy NYS-CSCIC Web site where they were asked to assist the agency by answering some questions about connectivity issues.

Those who followed the link and attempted to answer questions were notified that they fell prey to the exercise and were given a feedback survey to explain their actions. Fourteen percent followed the link but only eight percent attempted to input information.

William Pelgrin, chief cybersecurity officer and director, NYS Office of Cyber Security & Critical Infrastructure Coordination, Albany, N.Y., was pleased with the results of the phishing exercise.

“Cybersecurity awareness is about cultural change, repetition of exercises like the scam phishing, help,” he says.

In early 2008, NYS-CSCIC rolled out a standalone 10 module computer-based security training program that included interactive exercises, such as the scam phishing program. The introductory, non-technical course also includes modules on security accountability, social engineering/phishing, security threats and other issues that end users need to be aware of.

Later that year, a server version of the same training program was made available to state and local governments through the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Related Content

This year, NYS-CSCIC will conduct more periodic, automated, interactive exercises, in a manner similar to the phishing pilot, in its efforts to create a culture of security through experiential learning.

All contents copyright 1995-2009 Network World, Inc. http://www.networkworld.com

New ransomware holds Windows files hostage, demands $50
‘Sobering’ turn by crooks ‘doesn’t bode well,’ says researcher
Gregg Keizer

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130539&source=NLT_AM

March 25, 2009 (Computerworld) Cybercrooks have hit on a new twist to their aggressive marketing of fake security software and are duping users into downloading a file utility that holds users’ data for ransom, security researchers warned today.

While so-called scareware has plagued computer users for months, those campaigns have relied on phony antivirus products that pretend to trap malware but actually only exist to pester people into ponying up as much as $50 to stop the bogus warnings.

The new scam takes a different tack: It uses a Trojan horse that’s seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim’s PC, the malware swings into action, encrypting a wide variety of document types — ranging from Microsoft Word .doc files to Adobe Reader PDFs — anytime one is opened. It also scrambles the files in Windows’ “My Documents” folder.

When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as an semiofficial notice from the operating system. “Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application,” the message reads.

Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. Price? $50.

“This does look like a new tactic,” said David Perry, the global director of education at antivirus vendor Trend Micro Inc. “But all online fraud is just minor variations of classic con games. This is just the ‘Bank Examiner’ played out on the Internet.”

That classic con, said Perry, typically involves a swindler posing as an official, a bank examiner or an FBI agent who asks for help in an investigation. The swindler convinces the mark to withdraw money from the bank — it’s needed to catch the nonexistent crook in the act — and promises to return the funds at the end of the case. Of course, the money vanishes, along with the grifter.

On the Web, data-hostage scams like this are called “ransomware” for obvious reasons. This isn’t the first time the tactic has been used, but it is remarkably polished, said Perry. “We’ve not seen ransomware with this level of sophistication,” he said.

Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called “Anti FileFix” available for download that unscrambles files corrupted by the Trojan horse. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.

Alex Lanstein, a malware researcher at FireEye who blogged about FileFix Pro 2009 last week, called the turn from scareware to ransomware “sobering.”

“Although we broke the encryption, it’s a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom,” Lanstein said. “Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.”

If ransomware follows a similar path as scareware, criminals will be hustling to mimic FileFix Pro. According to some estimates, crooks make as much as $5 million a year pushing fake antivirus software.

Hi all,

I really had to bring this to your attention and if you’d like to add your thoughts that’d be great. The report has prompted my desire to see the real report that was submitted for them to come to this conclusion. I’d like to have a sit down with them to shed some light to the issues from another angle, the "unreported cases".

As I said, there’s a lot that goes on that doesn’t get reported so where does that info go and what influence (if any) would it have on the real state of affairs about online threats to children. Children are being used as backdoors and an access point to private/personal information about the family, the home and financial status, not just for sex or sexual acts.

If there wasn’t a threat why do we have taskforce and other agencies manning it?

I guess you can tell that i’m very worked up over this one huh. It just shows how limited the mindset is at that level. It’s like saying if I teach the children to secure the door by always locking it I don’t have to worry about the windows.

————————————
The question on LinkedIn.
http://www.linkedin.com/answers/using-linkedIn/ULI/398900-3071950

Your thoughts – "Report Calls Online Threats to Children Overblown". What do you think, is this for real or not?

Good day to you,

When I see an article like this I tend to sit back and go wow, where have I been living and what have I been seeing/hearing or, am I in denial to the truth. I have always said that we, the people in the field who live and die working in the field, have always seen thing different from the people in these high level positions and is why they fail to implement the proper things needed because there is in synergy between us and them.

It’s like a cop on the street who has to deal with the everyday violence and issues but he’s able to quell them and bring peace in his areas because he’s known and knows how to deal with people. While these issues are real and happening every day, they don’t get reported back to the precinct and so the captain (or seniors) thinks all is well and can say that there district is not violent nor has issues like anywhere else. It’s not that you don’t have issues, you’re just not getting the info about them because they are not critical enough to report in or cause a major stir. Yet, unchecked, the high profile ones are added to the statistics and generate facts.

They don’t come down to our neck of the woods and talk with us to see what is "really going on" in the world, instead, they use statistics that is published by some agency or group. Well, I must be in denial because I truly see this as a growing problem and have talked with parent/student alike who have been victimized online to the point that it affects their offline experience/life.

So, before I get carried away in myself and this issue (as it really upsets me), i’d like to throw this out to this professional’s network to get your real professional insight/thoughts on the report of the report.

http://www.nytimes.com/2009/01/14/technology/internet/14cyberweb.html  

Thank you and have a great day,

~Brett A. Scudder~