Special Section: breaking news from CyberMaryland (our regular summary appears below)
Among many interesting sessions and presentations, we highlight two likely to be of interest to our readers. And, of course, we finish with an account of the National Cyber Security Hall of Fame induction ceremony for the class of 2013. We'll wrap up our CyberMaryland coverage in tomorrow's issue.
Building an Effective Cyber Risk Culture
Mark Gilbert of COPT moderated presentations on cyber risk culture, and the forces shaping the cyber insurance market, which, he noted, represents the fastest-growing insurance sector.
Tom Finan, Sr. Cybersecurity Strategist and Counsel, US Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD), spoke to the state of the developing cyber insurance market.
NPPD is responsible for assisting Federal civilian agencies secure themselves against cyber attack. Its vision is a safe, resilient infrastructure, which, Finan explained, means looking ahead at emerging threats. In this context, DHS leaders asked for a look at cyber insurance market.
Such insurance can be expensive and hard to get. We might usefully compare it with fire insurance, for which there is a well established and functioning market. Taking protective measures—putting in sprinkler systems, etc.—is a prerequisite for obtaining fire insurance. There might well be a cyber-insurance parallel, not only in terms of opening availability, but also in terms of establishing a market that drives increased security (and security innovation).
There's currently a reasonably functional cyber insurance third-party market. It benefits from a sizable actuarial data set. The real problem lies in the first-party market—a market for insuring against loss of reputation, loss of market, and restoration of systems. Here, there's very little actuarial data because companies are understandably reluctant to disclose cyber attacks and the complex losses they inflict.
NPPD thinks, Finan said, that an appropriate role for DHS is to sponsor conversations with a cross-section of stakeholder groups. As we studied the problem and talked with stakeholders, we identified two unresolved issues: assignment and market.
With respect to risk assignment, stakeholders differed. Many felt risk should be assigned to the Federal Government. Others thought assignment of risk to utilities (for example) provided a model by which risk might be assigned to the private sector. The new and rapid growth of cloud services raised significant risk-assignment issues. Active defense has also become a factor in assignment: many companies are interested in extending their self-defense rights to cyberspace.
The market issues naturally fall into supply- and demand-side categories. On the supply side many see a role for the Federal Government in developing actuarial data. On the demand side, many wanted a cyber version of the SAFETY Act. They want a safe space for companies to report what's happening to them, and the ability to do so anonymously. Many asked for a set of well-founded risk-reduction best practices.
The business case for insuring (and investing) against cyber risk has, generally, yet to be made. In many sectors cyber risk is still considered purely an IT issue, and it hasn't been reduced to costs business leaders can understand. More research into costs and benefits of cyber risk would surely help.
Risk management strategy falls naturally into four stages: accept, avoid, and mitigate risk, and only then transfer it (through insurance).
We see, according to Finan, a movement on the part of insurance carriers away from elaborate checklists to an assessment of a company's risk culture. Some carriers now rely essentially entirely on risk culture to craft a policy specific to each business seeking insurance. Risk culture is seen as having four pillars: (1) the role of executive leadership, (2) education and awareness, (3) technology, and (4) information-sharing.
Insurers now generally survey companies with 20 or so high-level questions and they do this "to eliminate the clueless from their pool of the potentially insured." Carriers want to see an engaged cyber risk culture, and companies with such cultures are the ones they want to insure. This is a very positive sign: the process of companies getting their own houses in order will ultimately drive an effective first-party insurance market.
Dismas Locaria, Partner, Venable LLP, spoke about the SAFETY Act, which is intended to encourage innovation through systems of risk and litigation management. This law arguably already covers cyber, as a special case within its definition of "act of terrorism."
The SAFETY Act establishes a process that helps companies limit their liability at two levels: (1) designation (which requires demonstration of a product, system or technology's efficacy) and (2) certification (which requires higher degree of proof of efficacy). Designation caps liability at a certain level; certification affords effective immunity from 3rd party liability.
The Act also affords a company with Government review and approval that what it does is effective, and constitutes a reasonable precaution against risk. The application process is very involved, requiring a lot of upfront work.
A questioner asked whether hacktivism fell within the scope of the SAFETY Act. Locaria replied that this was a grey area, and that ultimately the Secretary of the Department of Homeland Secuirty determines whether an act constitutes terrorism. He did note, however, that the language of the bill mentions eco-terrorism, which is surely akin to hacktivism.
Cyber Technology and Innovation: What's here, what's coming, and what to do about it.
Beau Adkins, CEO of Light Point Security, moderated a panel of industry leaders: John Harmon (Partner, Tactical Network Solutions), Jeff Huegel (Executive Director, Cloud, Hosting and Applications Security, AT&T), Jason Taule (Chief Security and Privacy Officer, FEI Systems), and Dana Pickett (CISO and CPO, Allegis Group). Adkins invited the panelists to share their take on the cyber landscape.
Tactical Network Solutions' Harmon explained that embedded devices on networks pose an overlooked risk. There's lots of advanced persistent threat fear, uncertainty, and dread—FUD—but the FUD has a bit of truth in it. Consider hospitals. Entire medical centers are now wireless. How long will it be before someone from a parking lot can shut down every medical pump in a hospital? FEI Systems' Taule suggested segregating embedded devices on different networks. Harmon observed that vendors in this space remain inattentive to security in what is a commodity market. Tactical Network Solutions demonstrated ten zero-days on IP cameras at BlackHat. Not one of the affected vendors contacted them about the vulnerabilities.
AT&T's Huegel described de-perimiterization as approach to cyber secutiry. AT&T has been considering de-perimeterization for some time. We all have multiple roles and multiple identities, making walls not only impractical, but an actual risk. We should consider putting rings around things, not networks--let devices protect themselves.
Allegis's Dana Pickett strongly advised businesses to assess what's on their network. Baseline it and assess risk. Taule urged companies to demand, from vendors, a baseline of what constitutes normal behavior from the systems they're selling. You don't need soure code, but you do need a behavioral baseline.
Taule, who's "tired of the term 'APT'" and prefers to call such things "weaponized threats," shared a lesson from the experience of being acquired by a larger business. As a small company, you may not have been of great interest, but attackers read press releases too, and once you've been bought, you're a target. As soon as the press release is out, attacks spike.
The trend toward BYOD (bring your own device) elicited considerable discussion. Pickett advised that in a BYOD environment, you need to be sure the business and personal are separated, and make sure the business data are easily wiped.
This, Huegel pointed out, is all the more reason to put rings around things. When the real threat arrives in mobile, it won't look the way we expect it to. There's a lot of intelligence exposed on mobile devices. Mobile devices are becoming primary endpoints in corporate networks. Note too that phones are becoming means of authentication.
Be sure to get policies, disclosure, permissions in place before adopting BYOD, advised Taule, who also suggested securing legal advice. BYOD, he reminded the audience, is about economies. Consider applying controls only where necessary.
Pickett offered sound summary advice: do the simple, obvious things—like using strong security software—to protect endpoints.
National Cyber Security Hall of Fame Induction
The Hall of Fame's Class of 2013 was inducted in Baltimore yesterday. See the link below for full biographies of the pioneers honored. In brief, they are David E. Bell (co-author of the Bell-La Padula model of computer security), Jim Bidzos (CEO and Chairman of VeriSign, Inc.), Eugene H. Spafford (Professor of Computer Science, Purdue University), the late James Anderson (pioneering student of intrusion detection and founder of the CIA's "Brain Trust"), and Willis H. Ware (Computer Scientist emeritus at RAND Corporation).
Lieutenant General (retired) Kenneth Minihan, former Director of the US National Security Agency, welcomed and congratulated the class of 2013. He described the National Cyber Security Hall of Fame's vision as building a bridge from the past to the future by educating, stimulating, and commemorating cyber achievement. He spoke of the Maryland's happy convergence of science, technology, engineering and math (STEM) education with Government requirements in the center of an East Coast tech corridor running from Boston to Atlanta. He closed by commending the example of the Cyber Security Hall of Famers to all young people thinking about their future careers.
The evening's keynote address was delivered by US Representative Charles Albert "Dutch" Ruppersberger III (Maryland 3), Ranking Member of the House Permanent Select Committee on Intelligence.
Cyber threats, Congressman Ruppersberger asserted, are, along with weapons of mass destruction, the greatest threat the United States currently faces. He described Congressional efforts to pass effective cyber security legislation and their concern for doing so in a way that respects privacy and civil liberties. (He parenthetically described the media's recent coverage of the National Security Agency as both sensational and distorted.)
The House cyber bill seeks to address the threat of, among other things, economic warfare and industrial espionage carried out against the United States by hostile or competing foreign governemnts. The bill would enable information sharing, revising restrictions on information sharing passed into law in the late 1940s. The Government's cyber operators are, he said, currently in the position of a meteorologist watching the progress of a hurricane but prohibited from warning anyone who's in its path.
He closed by urging people to understand that the US is being attacked all the time. And, of course, he ended by congratulating and thanking the Hall of Fame class of 2013.
Today's regular daily summary starts here.
THE CYBERWIRE (Thursday, October 10, 2013) — Network Solutions is investigating possible connections between a denial-of-service attack it suffered and a recent wave of Website defacements by KDMS Team pro-Palestinian hacktivists.
Anti-regime Syrian hacktivists join the Mideastern trend of vandalizing the American Midwest: Dr.SHA6H hits Mansfield, Ohio.
A Turkish education ministry site is compromised for malware distribution. The motive here seems apolitical theft.
An IE zero-day first observed attacking Japanese and South Korean organizations last month now seems to have been used against US targets as well.
WhatsApp encryption vulnerabilities continue to draw attention (and adverse criticism).
An exploit attacking the popular proprietary CMS vBulletin has been observed in the wild. vBulletin has released a workaround.
As expected, the arrest of "Paunch" by Russian authorities has caused the bottom to drop out of the market for the Blackhole exploit kit. Criminals are shopping elsewhere.
The FBI's arrest of the alleged Dread Pirate Roberts (né Ross Ulbricht, allegedly) has been followed by other Silk Road arrests in the UK and Sweden, but this hasn't trimmed all the Dread Pirates' customers' sails. Although "drug kingpins" are "spooked," low-end druggies vow vengeance against the FBI as small-fry dealers seek to form a new black market bazaar. Other observers draw opsec lessons from the Dread Pirate's downfall.
In industry news, CACI buys Six3 from GTRC in a cyber market push. Cisco sees its SourceFire buy as a key part of its own future.
General Alexander defends the NSA (and calls for information sharing). The New Republic shows him some surprising love.
Today's edition of the CyberWire reports events affecting Argentina, Brazil, Canada, China, Egypt, the European Union, France, Germany, Ireland, Japan, the Republic of Korea, Malaysia, the Palestinian Territories, Russia, Singapore, South Africa, Sweden, Syria, Taiwan, Turkey, the United Kingdom, the United Kingdom, and the United States.
The CyberWire is published daily, Monday through Friday, except for US holidays. Format and summary copyright Pratt Street Media LLC. To subscribe and to manage your subscription, visit our sign-up page. Follow us on Twitter @thecyberwire.
Cyber Trends (6)
Cyber Events (28)
Dateline Baltimore: the latest on CyberMaryland
Cyber Attacks, Emerging Threats, and New Vulnerabilities
Security Patches, Mitigations, and Software Updates
Products, Services, and Solutions
Technologies, Techniques, and Standards
Design and Innovation
Legislation, Policy, and Regulation
Litigation, Investigation, and Law Enforcement
For a complete running list of events, please visit the event tracker on the CyberWire website.