20 Critical Security Controls

In 2009, the State Department implemented a bold strategy to continuously monitor cyberspace for malicious computer attacks.  Chief Information Security Officer John Streufert led the effort.  Part of what Streufert wanted to determine was whether or not he could tailor his security model to the 20 critical security controls, a set of risks that over 100 security experts determined to be the most common and likely security vulnerabilities facing government computer systems.

Prior to these controls, the National Institute of Standards and Technology concluded that there were 110 or more ways computer systems could be attacked.  Former Energy Department and Air Force CIO John Gilligan changed all that when he brought together a powerful consortium to determine if there was a subset of those risks that was substantially more important based on the damage they could inflict and the likelihood of them occurring.  As a result, the 20 critical controls were born.

Streufert opened a 24-hour security help desk to count the number of security incidents occurring on a daily basis.  For 2008, State opened 2104 tickets.  By 2009, the number went up to 3085.  Different kinds of attacks occurred, but the most prevalent was malicious code, which rose from 39% in 2008 to 70% in 2009. 

The 20 Critical Controls are judged by leading cybersecurity experts to be the most commonly used and effective ways computer attackers gain entry to systems and networks.  The automation of these controls has radically lowered the cost of security while improving effectiveness.


SANS 20 Critical Security Controls

Pssst, Real Conspiracies…

Conspiracy theories abound.  I keep my tinfoil hat folded neatly in my desk drawer, ready at all times for protection from “them” and their cosmic rays…

Before you scoff at conspiracy theorists at large, proclaiming everything from your boss and the local ISP tapping the Internet to keep an eye on you, to the shocking events that unfolded during 9/11, why not watch a short 8 slide slideshow over at Basline Magazine of conspiracies that REALLY HAPPENED.  I’m a fan of Baseline, have been for years.  They started out with a Project Management focus, mixed in some Business insights, and introduced security elements into their technical discusssions.  That makes for a very interesting read, with a variety of perspectives.

Anyway, we saw the alien autopsy, and might still have some old pictures from directly behind the grassy knoll…


FBI Reports Most Difficult Scams

The Federal Bureau of Investigation recently reported on the top Internet scams of 2009.  The report indicates that criminals are continuing to take full advantage of the anonymity provided by the Internet and developing increasingly sophisticated means of defrauding unsuspecting consumers.  Annual crime complaints reported to Internet Crime Complaint Center (IC3) have increased 667.8% between 2001 and 2009.

According to the FBI and the IC3 Web site, the most popular scams for 2009 included hitman scams, astrological reading frauds, economic scams, job site scams, and fake pop-up ads for antivirus software.


IC3 Report

2010 Computer Forensics Show in NY City

Beginning April 19th, the FBI’s New York Office InfraGard team co-sponsored the 2010 Computer Forensics Show in New York, New York.   More than 1,000 people signed up for the two-day conference.  Over 350 individuals were provided computer, accounting, and legal forensic educational training.

Topics of discussion presented by members of the FBI’s InfraGard team included:

  • 2010 Cyber Threats and Trends.
  • Using Network Forensics to Combat Cyber Attacks.
  • State of the Hack—Find Evil. Solve Crime.
  • Combating Threats to Your Critical IT Infrastructure.
  • The Use of Digital Forensics in Inspecting Chemical, Biological, and Nuclear Facilities

Atendees of the event were advised that modern communications devices such as smartphones and game consoles pose a thorny problem to law enforcement agencies trying to gather forensic data that reveals criminal activity.  There are many different carriers, different phones, different cables – just try to keep up.  Forensic tools for cell phones are in their infancy.  Smartphones can communicate via SMS, MMS, mobile e-mail, mobile internet access, VoIP and traditional cellular voice networks, making each a nightmare maze of proprietary technologies to unlock it.

Retrieving SMS messages can depend on the model of phone, the carrier involved, even the country in which the phone is used.  SIM cards removed from phones carry potentially useful forensic information, but unless associated with a particular phone’s PIN, the data remains out of reach.  If the the make and model of the phone is known,  the manufacturers’ “personal unlock feature” if it exists, could release the data.

The proliferation of cell phones is also a problem.  Searches of homes can turn up drawers full of cell phones that are no longer used, but are never thrown out.  Each one can demand valuable forensic time. 

Game consoles can be used to connect to the Internet and to send e-mail, but have very little internal memory.  The drive tends to be quickly over written and the data is gone forever.   That means users can send Web-based e-mail and leave no trace.  Meanwhile, the FBI continues to seek help from the private sector to protect critical infrastructure, with IT professionals detecting terrorist activities before the bad guys can carry out their plans.

The New York City FBI bureau has 1,100 staffers enforcing 400 different violations, plus seeking terrorists.  Infragard, an alliance of the FBI/business/academia to protect US infrastructure from terrorists, sought help at the 2010 Computer Forensics Show where professionals and students who are likely to have an interest in law enforcement came for seminars gathering evidence for legal cases.  The New York area Infragard chapter offers educational seminars online during weekly podcasts.


Effects of Banking Trojans on SMBs

Panda Security has released an new report, finding that while a majority of respondents are concerned about online banking fraud and identity theft in their organizations, they don’t understand how best to protect their businesses.  In addition, they have a false sense of security in terms of their expectations around bank reimbursement in the unfortunate event they fall victim to fraud.

Key Findings:

  • Small businesses continued to be a prime target for cybercriminals in 2009.
  • 66%of the 25 million malware samples collected by PandaLabs in 2009 were banker Trojans.
  • 49% of respondents use online banking to make and receive payments online.
  • 52% of respondents had little or no familiarity with banking Trojans, despite increased attacks in 2009.
  • 11% of SMBs said they have or may have been affected by online fraud or identify theft.
  • 86 % of online fraud or identity theft incidents were reported to authorities.
  • 15% of SMBs either are unsure of the status of, or do not have updated security software on all systems where online transactions are conducted in their organizations.

 The Annual Report clearly demonstrates that users who are most vulnerable to banking Trojans are those who frequently conduct online banking, with small to medium-sized businesses being at particularly high risk. These organizations, ranging in size from one to 500 employees, are attractive targets because they are less aware of the myriad threats that
exist and underprepared to protect themselves owing to more limited budgets and internal resources. Moreover, SMB accounts are particularly attractive to criminals because they have higher account balances than consumer accounts, yet lack the protections of larger enterprises. 

There were several instances in 2009 that demonstrated just how vulnerable SMBs are.  In September 2009, approximately $439,000 was stolen from German bank accounts with the aid of a sophisticated banking Trojan called URLZone.   The attackers stole banking credentials from the URLZone-infected systems, and then initiated money transfers through the victims’ computer systems by using the stolen credentials. 

More recently, hackers were able to infiltrate and steal $150,000 from a small insurance company in Michigan.  Using the widely popular Zeus Crimeware Kit, attackers hacked into the controller’s computer and initiated money transfers until the company’s bank account was depleted.  These are just two recent examples out of countless attacks that happen annually.

Panda Report

VPD Captures 400 ID’s

Washington State’s Vancouver Police Department posted the names of more than 400 people whose personal information may have been compromised, to its website.  The names, dates of birth and social security numbers were discovered in a plastic bin inside a home in the 19000 block S.E. 19th Way on April 9th during a response to a disturbance.  A tub at the residence was filled with credit cards, driver’s licenses and stolen mail.

The list will include only first and last names, and is available at http://www.vanpolice.org (under “Current Topics,” click “Ledger List”).  Anyone whose name appears on the list is encouraged to:

  • Check their credit report for signs of fraud or theft.
  • Check bank and credit card statements for unauthorized withdrawals or unusual charges.
  • If you discover an unauthorized charge, report it to your bank or credit card company.
  • Report it to police.

The Columbian