Today there is a lot of interest in “Cyber warfare” and “Cyber threats”. Week after week we are bombarded with news about massive security failures, one after the other. For example, according to the Utah Department of Health, the sensitive personal information of more than 780,000 people was stolen from a government health department computer in Utah, USA in March 2012. These ongoing reports leave many of us feeling unsure on what can be done. Is this just sensationalism? How bad is the situation really? If we have a serious security problem, how do we get ourselves out of this mess? In particular, what can I do to improve my situation and protect those I care about?
Each week, this easy to understand Cyber Security Awareness Series will quote cyber security insiders to answer these important questions. This four-part series is another example of international collaboration created by the ICT Gozo Malta Project, this time with experienced international security reporter Pierluigi Paganini, director and Ciso of Bit4ID, Italy. The series contributes to ongoing online publications of extensive cyber awareness resources during 2011 and 2012. These publications from Malta have been blogged and viewed by thousands of people including experts in government and industry around the globe.
Below, we quote three world-leading experts to make it absolutely clear that we do have a problem that deserves our attention, with simple suggestions on how we might respond.
According to the US National Security Agency: “There is no such thing as ‘secure’ anymore.” The ugly truth is that the majority of information and communication technology (ICT) products are fundamentally insecure and trivially broken. It is readily apparent because we are all very familiar with anti-virus and anti-spyware software, and the endless process of costly (time-consuming) security patching, often long after successful attacks, has come and gone.
What is less understood by the wider community is that there is also an underlying problem (known by world-leading security insiders) that makes this an extremely perilous situation. That problem is that critical aspects of today’s mainstream civilian cyber security ecosystem foundations are fundamentally flawed at the conceptual design, architecture and implementation levels. This includes many of the (de facto/national) security standards and security products designed to protect us from malicious activities. (See: “Synaptic Labs’ Annual Report On Cyber Security Technical Problems, Drivers and Incentives” for the full blow-by-blow disclosure from leading experts.) This leads to a simple question: How can you make a robust, secure system with insecure building blocks?
March 2012 –UTAH DOH says 780,000 Patient Files
Brian Snow is a private information security consultant with a unique insight into the situation. For 13 years, he held technical director positions in the US National Security Agency (NSA Research & Development, Information Assurance Directorate IAD, ADET). For those unfamiliar with the US NSA IAD, it’s mission is to protect the US National Information and Information Systems by securing networks and making ICT systems that are less vulnerable to attacks. Prior to his technical director roles, Brian spent his first 20 years at NSA as a techie and inventor, doing and directing research on developing cryptographic components and secure systems. Many crypto systems serving the US government use his algorithms. In short, Mr Snow is one of the most authoritative and respected names in the business of securing information systems, and today he provides expert advice to the global community on how to protect ICT systems. His relentless message to security forums around the world is indisputably clear. He describes today’s cyber security systems as a
“trust bubble waiting to burst”.
To quote Brian Snow from the 20-minute video presentation he recorded for Synaptic Labs and presented at the ICT Gozo Malta’s International Cyber Awareness Seminar in November 2011 (available online free): “Today’s Trust Bubble products are rife with a huge pile of crippling un-addressed conceptual (design) and implementation debt. That is a one-two punch. And as were the Credit Derivative products in 2007, widely used, little understood, and less analysed! I said in March 2010 at the RSA Conference that we are ripe for a Trust Bubble meltdown with the same scale of consequences that the Credit Markets suffered. I predicted that it COULD (not WOULD) happen within three to five years, possibly even within 18 months… I now feel we may have only long weeks to short months before we COULD feel even greater pain from the immense pile of ‘debt’ (both conceptual and technical) that security vendors are carrying. Please realise, we are in desperate trouble! We have to dig out of this, or else the world economy is headed for a severe crash! We are moving at a snail’s pace against an avalanche of MALICE. It is insane not to act! So I am here to tell you that your cyber systems continue to function and serve you NOT due to the EXPERTISE of your security staff, but solely due to the SUFFERANCE of your opponents.”
This is not an isolated statement made by some radical. Other security experts with similar deep insight into the true extent of the problems are saying similar things.
Debora A. Plunkett is today the Director of the US NSA IAD. Ms Plunkett is responsible for cyber security, cryptography and information systems security for all US national security systems. Her public view on the status of today’s cyber security is very clear:
“There is no such thing as `secure’ anymore… We have to… assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”
This is a key public statement and a warning that all major organisations should take into account.
Melissa Hathaway is a security expert who has held high-ranking security positions in both industry and government. Ms Hathaway is best known for leading the extremely influential US government’s Cyberspace Policy Review that triggered massive change both in the US and around the world. When addressing some of the brightest minds in US cyber security at the US Oak Ridge National Laboratory’s Annual Cyber Security and Information Intelligence Workshop CSIIRW 2010, she said: “I think it is unconscionable that our leaders are not talking about what is really happening and some of it is because of the fear that we are going to lose trust in the core infrastructure and/or that we are going to lose public confidence.”
To support Ms Hathaway’s statement about the vital importance of maintaining public confidence, we quote the official UK Government Cyber Security Strategy 2011:
“Any reduction in trust towards online communications can now cause serious economic and social harm to the UK.”
So naturally we cannot expect alarming reports to come from many government sources. Having said that, it is reassuring to learn that each of us has the ability to respond right now.
According to Brian Snow, “Each of us has the responsibility: 1. To educate ourselves on cyber security issues, 2. To find out what our individual security roles are in our business operations (and personal life), 3. To improve our skills and apply them to improve the security posture of the community, and 4. To identify what we cannot do personally and then call on the security community to deliver it.”
In this article, we will focus on immediate steps each of us can take right now to mitigate the threat to ourselves, our loved ones and businesses. Thankfully, according to the UK government’s Cyber Security Review (2011):
“Prevention is key, we will work to raise awareness and to educate and empower people and firms to protect themselves online. Eighty per cent or more of currently successful attacks exploit weakness that can be avoided by following simple best practice, such as updating anti-malware software regularly.”
To start, if your computer appears to be sick (very slow or randomly misbehaving), go directly to a trusted techie, system administrator or your local computer shop and ask to have your computer checked, any malware removed, and to install a high-quality anti-virus tool if you don’t have one. If your computer seems okay, make sure you are running an anti-virus tool that checks every application for malware before it runs. If the anti-virus tool continually discovers viruses, seek expert assistance immediately. Unfortunately, installing an anti-virus is not enough. Security is a daily routine of applying best practices, not something magically achieved by running an anti-virus product! The next most critical step in our daily routine is to ensure software patches for your operating system and that all applications are applied in a prompt and consistent manner. Patching removes vulnerabilities that have been discovered, preventing them from being exploited.
With the absolute minimum in place, we each still have the responsibility to educate ourselves on the other critical cyber security best practices. So be sure to read the next article in this series and join us in taking the next steps to secure (y)our world!
You can find full citations to all materials referenced in this article, and related cyber security materials including Brian Snow’s presentation, at tinyurl.com/SynapticLabsAnnualReports2012.
Co-author Pierluigi Paganini, Director and CISO of Bit4ID Italy has 20+ years of security experience and has many years of in-depth investigative cyber security journalism on important cyber events. Find his blog at: securityaffairs.com.
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu has links to free cyber awareness resources for all age groups. To promote Maltese ICT to the world, we encourage all ICT Professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cyber Security and other ICT R&D initiatives in Malta and Gozo.
by Ron Kelson, Pierluigi Paganini