Security roundup: Stealing from the military; persistent threats; mammoth security problems; bot armies

What does it take to build a culture of network security?

Sometimes the difference between selfless valor and selfish cowardice is stark. On the same week that 21-year-old Marine Sgt. Dakota Meyer is awarded the Medal of Honor for heroism in saving his compatriots in Afghanistan, we hear that Rene Quimby, 42, is sentenced to prison for stealing 16,000 identities of U.S. military service members and using that information to steal from 650 victims.

In his scam, Quimby went on online shopping sprees for computers, cameras, iPods, even washing machines, through accounts at the website of the Army and Air Force Exchange Services, the organization that does about $10 billion in business annually on military bases. Security lapses and data leakage problems gave Quimby his opening -- but last week he was sentenced to 75 months in federal prison and must pay $210,000 in restitution to AAFES.

MORE ON SECURITY: Oracle: Security flaw could bring down app servers

Getting ripped off via stealthy network intrusions was the theme for the Summit on Advanced Persistent Threats, which was organized by trade group TechAmerica and RSA. As you probably know, RSA is the security company that acknowledged earlier this year that an intruder got into its network and stole sensitive information related to its SecurID product. Later, that information was used to attack Lockheed Martin.

RSA has since taken to organizing the equivalent of high-tech group therapy, and about 100 chief information security officers, CIOs and CEOs attended the APT Summit, which took place in July in Washington. A report about its main findings is forthcoming. One problem is that CISOs are understandably nervous about the legal ramifications of even talking about APTs.

The need to discretely share intelligence was also the theme with the Department of Homeland Security (DHS) last week. At a congressional hearing, DHS Acting Deputy Under Secretary Greg Schaffer of the National Protection and Programs Directorate said DHS does work directly with financial institutions to thwart cyberattacks and plans to do so more in the future. Schaffer said top secret/sensitive compartmentalized information clearance to key banking and financial information systems managers so US-CERT can share more sensitive intelligence with the private institutions. To broaden that collaboration, DHS is seeking laws that would make that sharing less problematic. "Some institutions have concerns about the privacy implications of sharing information with the government or about brand damager that nay result from reporting an incident," he said.

Are mammoth cyberattacks imminent? Gen. Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, says to get ready for something big. A destructive attack from cyberspace "is coming, in my opinion. It is a question of time. What we can't know for sure is how far out it is," and whether it will target commercial infrastructure, government networks or mobile platforms, the general said during his remarks during last week's Maneuvering in CyberSpace Symposium.

Others last week gave voice to the idea that the U.S. needs to improve its cyber-intelligence posture. The Intelligence and National Security Alliance Cyber Council -- said to be a nonprofit, non-partisan, public-private organization -- issued a report on that topic. It said the dilemma is that DHS has the authority but lacks the expertise and capabilities to orchestrate a comprehensive approach to cyber intelligence. The Defense Department has much of the actual cyber intelligence capabilities and private industry owns most of the infrastructure.

Meanwhile, an evil infrastructure of bot armies of compromised computers continues to be assembled, awaiting a command from someone to attack.

Products, ahoy!

There hasn't yet been a standard for point-to-point encryption to be used to protect payment cards from the point-of-sale when sensitive cardholder data is captured and sent into processor networks and banking systems. But the PCI Security Standards Council last week took the first step to establish one in releasing guidelines for hardware-based encryption and key management.

The council says the goal is to certify hardware-based equipment for use with payment card processing by early next year. It would be totally voluntary and optional for merchants to use any of this, but it might help them get through PCI audits more easily. One issue, though, is that a lot of the larger merchants have already adopted their own encryption methods for use with their payment-card processors.

Vendors have long made a living circling around Microsoft, building software for Windows or Internet Explorer browser plug-ins. But when Microsoft does something they don't expect, these vendors can find their business in trouble.

That's what apparently happened to StrikeForce Technologies, the Edison, N.J., maker of the GuardedID anti-spyware product that has a browser plug-in component for Microsoft and Firebox.

StrikeForce executive vice president George Waller last week reached out to explain that when Microsoft released its IE9 browser in the spring, the encryption in the StrikeForce GuardedID software for stopping key-logging payload no longer worked right. What caught StrikeForce off guard in all this is that the beta version for IE9 didn't cause that to happen. "But the release candidate prevents our technology from securing the corporation (or user) from malicious code," Waller said.

He said StrikeForce has contacted Microsoft hundreds of times to try to sort out what StrikeForce says is a "bug" in IE9 that StrikeForce says wasn't in the IE beta code. Still frustrated months later, and coping with business problems that include informing customers they can only use GuardedID with IE8, StrikeForce last week took its story to the trade press.

Among information sent to Network World and others, Waller supplied the tech press with purported email from Microsoft personnel on April 11 that appears to acknowledge that there may be some need for a fix to IE9.

One email says: "As you know, the product team has already reviewed this issue and they have confirmed that this was an unintentional regression. A fix request has been submitted. But unfortunately, we don't have definite timeframes around out hotfix processes. I have kept the IE product team posted on the impact this issue has on your software and while they acknowledge it, they have to follow the regular process guidelines and prioritize it appropriately among other requests on their plate." In another email, Microsoft apparently tells StrikeForce: "I understand the impact to you and can certainly understand your frustration."

Microsoft, to whom Network World sent copies of all this, responded by saying, "We care about each of our customers' experiences with IE9. Our engineering team is actively investigating the claim that this third-party toolbar is no longer working in IE9; upon completion of that investigation, any necessary updates will be provided. Windows customers and Internet Explorer users should know there is no impact on their security or browsing experience as a result of this claim."

Waller, clearly distraught, said the StrikeForce software acts as an OEM to Trend Micro in its Titanium product, and other deals are also affected by the company's inability to find a help to the software problem from Microsoft. 

Last week, though, Microsoft was busy with other things, like patching 12 vulnerabilities in other products like SharePoint as part of its regularly scheduled second Tuesday of the month's patchfest.

"They say there's a case opened," Waller said. "But they keep passing me around." He added: "I guarantee that if I was a Symantec Corporation they would have fixed it immediately, but because we were not, we were pushed off."

In other software patch news, Oracle released an emergency patch for versions of its Oracle Fusion Middleware and Application Server saying without it, they could be brought down.

US Energy Dept. finds myriad challenges to building culture of network security

When it comes to securing the nation's critical energy networks, the Department of Energy says much work remains. Key to that work are the engineers, network administrators, vendors and others behind the security technology -- but they will be leaving the industry in droves in the next five years, according to a Department of Energy security roadmap issued this week.

"Over the next five years, energy companies will face a critical shortage of engineers and skilled craft workers. For example, about 45% of engineers -- 7,000 in electric utilities alone -- are predicted to retire or leave for other reasons. Compounding that, two to three times more power engineers may be needed to satisfy the needs of the entire economy and future operations will require broader skill sets than those prevalent today," the report states.

Keeping key people is just one of the many challenges to building what the DOE calls a culture of security. From the report:

• Limited knowledge, training, understanding, and appreciation of energy delivery systems security risks inhibits security actions within the energy sector. There is also an incomplete understanding of the cost of decisions and system resilience in terms of failure modes and vulnerabilities. Current risk assessment capabilities fall short of determining the effects of each cost decision on system resilience in terms of failure modes and vulnerabilities.

• While standards have helped to raise security to a baseline level across the energy sector, some standards remain unclear or too broad, or may have prompted utilities to use less advanced security measures to meet requirements. In addition, a rapidly changing risk environment means standards compliance today may not be sufficient tomorrow.

• Improving security comes at a cost, and demonstrating direct line benefits to an energy organization is difficult. Without the occurrence of a catastrophic cyber incident or a strong business case, public and private partners will continue to have limited time and/or resources to invest in partnership efforts.

• The increasing sophistication of cyber intrusion tools and complexity of energy delivery systems makes it difficult for asset owners and operators to recognize an incident once it is under way. The use of automated intrusion detection systems and applications have the potential to introduce serious operational issues.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022