Emerging threats that “may” turn into major threats in 2012

January 2, 2012

A list of threats that we read/discussed in 2011….and agreed that some of them may become major threats in near future. Mobile and Cloud security are going to be the most talked about security issues in 2012 (though, Cloud is missing from this list).

Emerging threats from 2011 are on track to become the major players for cyberactivity in 2012, including mobile banking, “legal” spam and virtual currency. McAfee Labs also predicts that attacks involving political motivation or notoriety will also make headlines, including high-profile industrial attacks, cyberwarfare demonstrations and hacktivist attacks targeting public figures.

White Hat Debit Cards

January 2, 2012

Elinor Mills / cnet

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.

Santa Gets Hacked!

December 31, 2011

Potential Information Security Threats (Funny video)

New Electronic Authentication Guideline for Fed Agengies

December 17, 2011

Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.

This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.

Strategic Plan for the Federal Cyber-Security Research and Development Program

December 10, 2011

This report outlines the Obama Administration’s road map of priorities for government agencies that sponsor research and development on cyber-security.

As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal  approaches of the past with a set of coordinated research priorities whose promise is to “change  the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first  principles and the fundamental building blocks of security and trustworthiness.

Feds launch cloud security standards program

December 10, 2011

Jaikumar Vijayan / ComputerWorld

Federal CIO Steven VanRoekel Thursday unveiled the Federal Risk and Authorization Management Program (FedRAMP), which establishes a set of baseline security and privacy standards that all cloud service providers will need to meet in order to sell their products to government agencies.

The program requires that all federal agencies use only FedRAMP-certified cloud services and technologies for public clouds, private clouds, hybrid clouds and community clouds. The program also covers all cloud service models, including Software as a Service (SaaS) and Platform as a Service (PaaS).

Using science to generate truly random numbers

December 1, 2011

Tom Spears / Ottawa Citizens

To people who want to encrypt data, this is a potential source of randomly-chosen numbers that are used as a “key” to lock and unlock sensitive data — military transmissions, banking transactions, or your email.

The idea is that if no one knows how the key was created in the first place, hackers and code-breakers won’t be able to figure out the secret and decode the messages.

APT Or Not APT? Depends upon how clear the patterns are!

November 26, 2011

Rober Lemos / Dark Reading

Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow…

…..

In many cases, the patterns are not clear. Even “advanced” attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they’ve used standard cybercrime tools.

Whose Job Is Virtualization Security?

November 26, 2011

Richard Dreger / InformationWeek

To provide segmentation, you need the physical hardware team, and maybe the systems team, to configure the SAN disk arrays to balance performance, storage, and access requirements. Sure, you could physically carve up the disks and give different slices to each customer to provide a physical boundary, but this concept is anathema to performance-minded shops and the private cloud model.

A tool to identify malicious insiders

November 24, 2011

William Jackson / GCN

The system, which is being tested in a lab environment, uses a host-based agent to “learn” a user’s behavior and to look for anomalous behavior or other signatures, said computer scientist and project leader Justin Beaver.

……….

Among the characteristic information leveraged by the system are system call sequences. Each function on a computer initiates a series of calls for services. This occurs at a low level in the operating system, out of the user’s view, and creates a characteristic pattern for each user over time. Researchers found that normal patterns remain surprisingly consistent for individuals as they switch between computers and jobs.

Warding off cyberattacks through collaboration

November 24, 2011

By Ellen Nakashima / Washington Post

It’s easy to feel overwhelmed by the increasingly bad news in cyberspace, but there are a few bright spots. Government and commercial techies are finding some success in trying to protect computer users — often from their own careless behavior.

Security Predictions for 2012

November 24, 2011

Websense

With an influx of bring your own devices (BYOD) and mobility, social media exploding, cloud computing  knocking, and other operational challenges thrown in for good measure, if 2011 was the shocker, then 2012 is  likely to be the kitchen sink of security concern

Turning to Crowdsourcing for Intelligence

November 21, 2011

Dan Parsons / National Defense Magazine

The goal is to demonstrate better accuracy in predicting near-term and middle-term events than an opinion poll by the end of the four-year experiment. In the first year, Warnaar is seeking to achieve a 20 percent improvement over traditional polling methods. If its predictions turn out more accurate, the program will be made available to government decision makers.

Questions from informed policy makers could then be fed into ACES and predictions would be based on weighted answers from program participants.

Life Logging Risk Assessment

November 21, 2011

ENISA’s Report

The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.

Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.

Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.

Life Logging Risk Assessment

November 21, 2011

ENISA’s Report

The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.

Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.

Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.

DARPA Boosts Cybersecurity Research Spending

November 11, 2011

J. Nicholas Hoover / InformationWeek 

“We are losing ground because we are inherently divergent from the threat,” she said, noting that while the size of viruses has remained small over the years, the defensive security apparatus continues to grow. “Such divergences are the seeds of surprise, and this [size disparity] is a striking example of why it’s currently easier to play offense rather than defense in cyber. This is not to suggest that we stop doing what we are doing in cybersecurity. But if we continue only down the current path, we will not converge with the threat.”

Tim Berners-Lee on vision for the future of IT security

November 5, 2011

Ron Condon / SearchSecurity

Berners-Lee also outlined the notion of a security friendly Web interface in which users would be able to divide their lives into their different activities – for instance, family, work, public – each of which could be colour coded and assigned a different level of privacy, set by the user. This way, even when filling out a form, the different fields could be given different colours according to their privacy rating. This kind of approach, he said, could create “an explosion of interesting new applications.”

NIST Issues Cloud Computing Roadmap

November 5, 2011

Eric Chabrow / BankInfoSecurity

The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.

Tool to plan for Cyberattack

October 29, 2011

ComputerWorld / Nancy Gohring

The Small Biz Cyber Planner will ask a series of questions such as “Does your business use credit cards?” and “Does your business have a public website?” Based on the responses, it will generate a planning guide to help companies put in place basic policies to protect against cyberthreats.

Alternate Internet to Secure Critical Infrastructures

October 29, 2011

ExecutiveGov / Katelyn Noland

The alternate Internet would be built with the intention of securing critical systems where there would be strict access rules and those who are allowed entry must report any suspicious behavior.


Follow

Get every new post delivered to your Inbox.

Join 1,010 other followers