The State of the Union Address and the Call for Corporate and Armed Forces Evolution

Mark Harrington

This week’s State of the Union Address was the fourth in a row in which President Obama highlighted the critical nature of cybersecurity. Until the most recent onslaught of headlines painted a painful picture of the consequences of a data breach, all too many of our organizations have been focused on passing compliance audits and dealing with a broad variety of threats to long-term business viability. Times have changed, and the headlines and the tough reality are all crystal clear: the bad guys are strong, dedicated, and working productively together, and they are in our networks today.

As President Obama said, lawmakers must “finally pass the legislation we need to better meet the evolving threat of cyber-attacks,” and, “If we don’t act, we’ll leave our nation and our economy vulnerable.” Recently proposed legislation would relieve some of the risk of participating in the information-sharing for which the federal government is asking. Defending our organizations is becoming increasingly complicated for legal and security teams, so it’s crucial for such legislation to increase the incentives or decrease the exposure that companies would experience in being more transparent and collaborative with government when data breaches occur. 

Billington Cybersecurity Summit: Situational Awareness and Cyber Resiliency

Victor Limongelli

I was pleased to have the opportunity to participate on a panel at the 5^th Annual Billington Cybersecurity Summit, a very well attended event in Washington, DC yesterday. At the Summit’s opening keynote, Admiral Michael Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency, made a strong call for the adoption within cybersecurity of the military concept of “situational awareness,” both in government agencies and in corporate America. This, he said, can be achieved through understanding normal behavior across a network and on endpoints and having a way to quickly visualize anomalies. 

Building Cyber-Talent in the National Collegiate Cyber Defense Competition

The headlines are full of stories about the growing number of job opportunities for what may be a too-small pool of young cyber-defenders and incident responders. At Guidance Software, we support universities with our EnCase Academic Program to help ensure that the up-and-coming generation of information security specialists has the tools and technology they need to work like seasoned professionals do. To that end, we are also proud to be a Gold sponsor of the National Collegiate Cyber Defense Competition (NCCDC).

Ten finalist teams from more than 180 colleges and universities will participate in this national competition, held in San Antonio, Texas from April 25-27. To support this valuable training exercise, we supplied EnCase software network-wide, some EnCase training for all contestants, and will staff the volunteer Red Team with an EnCase incident-response expert. 

U.K. Announces Engagement in the War With No Front Line

Alex Andrianopoulos

On the day the mighty U.S. government shut down, the U.K. government threw down a colossal gauntlet: it revealed that it has been developing the capacity to carry out cyber attacks. The Financial Times reported today: Philip Hammond, defence secretary, said ahead of the Conservative party conference in Manchester that the UK was "developing a full-spectrum military cyber capability, including a strike capability." It was the first time any country  has made such a sensitive statement in public.

...Or you could fix the software.

Josh Beckett

One of the fundamental realities of security is dealing with vulnerabilities.  In the industry, we have become so jaded to the fact that software makers simply don't want to go to the trouble and expense of churning out secure code that we have just learned to 'abide.'  Consequently, we come up with elaborate ways to measure vulnerabilities and concoct Wile E. Coyote style mitigation plans to bring the risk down to an acceptable level.

Occasionally, I'm reminded that my permanently security-tainted skepticism needs a bit of a challenge to my comfortable position that there is no real security, there is only incident response.  We continue to fight a losing war and resign ourselves to try harder tomorrow.  With nation-states throwing their hats and ample wallets into the ring and anonymously buying bugs and exploits and expecting it to not be reported to the software vendor or public, it seems all is lost.

Better Incident Response Is the Real Game Changer

Josh Beckett As usual, on my very long drive to work, I was getting my daily fix of NPR and a couple of stories prompted me to write today.  First was a story that had to do with one of the interesting side effects of moneyball and how it was making baseball games longer by increasing the value of players that get walks.  More walks = longer games = less action = more fan boredom.  Their take away from this...you get what you ask for.  Not very security-esque, but stay with me.

The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications.  I've heard claims that all three branches of government had oversight into the process.  It struck me that there is a major problem with that claim.  They were all sworn to secrecy and operating behind closed doors.  No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff.  Ok, so how are they related?

Who Turned Off the Lights? U.S. Electric Grid Sees Increase in Cyber Attacks

Ale Espinosa When news of Stuxnet broke out, the world was shocked. It was the first discovered malware to spy on and subvert industrial systems, as well as the first to include a programmable logic-controller rootkit, used to attack Iran’s nuclear facilities.

Yet, despite fears of retaliation from foreign governments against the U.S. electric grid, a recent report based on over 100 surveyed utility companies revealed alarming vulnerabilities in the nation’s energy system. The report was supported by members of the U.S. House of Representatives in an effort to bring awareness to the security gaps in the utilities sector.

Among some of the report’s key findings were:

• Attacks on the nation’s critical infrastructure – including energy – were up 68 percent from 2011
• Many utility companies reported receiving “daily,” “constant” or “frequent” cyber-attack attempts
• Among the attacks reported were phishing, malware infection, and unfriendly probes
• Most utility companies are compliant with mandatory cybersecurity standards issued by the government, but voluntary recommendations by the industry watchdog – the North America Electric Reliability Corporation (NERC) – have been ignored by many

Why Are We Losing the Cyberwar? It's About the Money.

Josh Beckett 'Follow the money' is a tried and true security strategy. It will lead to you the things the bad guys may be after. It will lead you to the tools they use. It will lead you to who is committing the crimes. Money is the reason we are losing the Cyberwar.

It is simply more profitable to sell newly discovered exploits to bad guys than it is to report them to the software companies for fixing. The few companies that are willing to pay bounties for bugs are easily outbid by the bad guys as a cost of doing business. As long as that is a viable economic model, we will never have a hope of any defensive strategy that will work other than fast clean up of the mess when it happens.