Heart Hacking

28 09 2012

by Matthew Moses

When you hear the terms DoS attack, wireless exploitation, and data alteration what comes to mind? Personally, I think of a black hat hacker operating some bot net to disable service against its target’s website. I also imagine some shady individuals cruising the streets looking for open or easily crackable wireless networks for free and anonymous internet access. While these examples certainly fit the profile, would you ever imagine these terms in relation to implantable medical devices?

Implantable Medical Devices

Implantable Medical Devices (IMD) are becoming increasingly more popular and used in the treatment of a variety of diseases. For instance, in 2001 it was estimated that 25 million Americans were using implantable defibrillators (Nelson 21). Insulin pumps are another variety of implantable medical devices, and from my personal experience I have seen their popularity boom over the past 5 – 10 years. Other types of IMD include pacemakers and neurostimulators (Security and Privacy 30). These devices have varied uses but one thing that they have in common is their ability to more effectively treat diseases and complications for the individuals utilizing them. Many of the functions they perform are inseparably connected with the well-being and health of the patient. With many of these devices allowing configuration changes and data exportation wirelessly, care needs to be taken to protect against vulnerabilities in these devices.

During a BlackHat security convention, researcher Jay Radcliffe demonstrated his ability to “hack” his insulin pump. Radcliffe was able to accomplish this feat using a custom piece of software he built in addition to some extra computer hardware (Kaplan 1). One reporter explained, “These commands can order the device to turn off, but more dangerously, they can significantly raise or lower the levels of insulin Radcliffe’s body absorbs at any given moment” (Kaplan 1).

Similar research and technological hacking feats were accomplished by the Medical Device Security Center. A group of their researchers were able to reverse engineer communications between a clinical device referred to as a “programmer” and a specific implantable cardioverter defibrillator (Pacemakers 2). The researchers successfully executed several configuration changes on the device and explained that their “experiments suggest that the ICD could be forced to remain in a mode in which it continually engages in wireless communications” (Pacemakers 10). This last attack is commonly referred to as a denial of service attack (DoS) in the information security industry and in this case battery depletion is the cause for concern. This same group of researchers note that they “have not measured the power consumed by telemetry or other RF transmissions, but it is possible that these operations decrease battery life faster than normal ICD operation alone” (Pacemakers 10).

Should We Be Concerned

For those using IMDs or who have family members using IMDs it seems like we should be worrying. However, given the present state of the matter the Medical Device Security Center said, “We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed” (FAQ 2). Therefore, it seems that at this point in time we should not lose any sleep over these attacks. From the cases of successful exploitation cited above none of the authors wanted to release to the world the precise implementations of their attacks. Besides needing to engineer the attacks himself, a malicious adversary would also need a worthwhile motive for the attack and be within a close proximity of the target (FAQ 2).

The later case study mentioned comes from the Medical Device Security Center which has been researching and prompting means to further the development of security within these devices that they have referred to as “zero-power and sensible defenses for IMD security and privacy” (Pacemakers 10). I will not take the time now to dive into those suggestions but if there is interest I would make the invitation to read the cited article.

Going Forward

With the popularity of these devices growing and with the growth and spread in wireless technologies that we have seen over the last 5 years, what precautions need to be taken to protect patients using these medical devices? Currently, there appears to be little to no regulation regarding these types of wireless devices. According to a CNN Tech Report from 2010, a Food and Drug Administration representative, Karen Riley, “declined to say whether the the FDA is looking into new regulations of wireless medical devices” adding “that the responsibility for making the devices secure falls primarily on the manufacturer” (Sutter 1).

Do you believe that the a government agency like the FDA should get involved and start passing regulator requirements in regards to the security of these medical devices? Personally, its a tough question that needs further exploration. I question whether or not effective regulations could be made to ensure the proper design and manufacturer of secure medical devices. Specific technology is hard to break down and generalize for regulations, and technology built to mimic or regulate physical conditions of the human body is even more complex. I half jokingly fear that if the FDA stepped in we could potentially have IMD regulation books as large as the IRS tax codes which would hinder development and innovation more than secure it. For now I feel its in the best interest of the industry to step up and take some proactive measures towards securing their own devices without the need for government regulation. What are your thoughts?

________________

Halperin, D., et al. “Frequently Asked Questions (FAQ): Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.” Medical Device Security Center, n.d. Web. 24 Sep 2012. <http://www.secure-medicine.org/icd-study/icd-faq.php>.

Halperin, D., et al. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses”. Security and Privacy, 2008. SP 2008. IEEE Symposium on. 2008. 129-142. Print.

Halperin, D., et al. “Security and Privacy for Implantable Medical Devices.” Pervasive Computing, IEEE 7.1 (2008): 30-9. Print.

Kaplan, Dan. “Black Hat: Insulin pumps can be hacked.” SC Magazine. Haymarket Media Security., 04 Aug. 2011. Web. 24 Sept. 2012.

Nelson, Glen D., M.D. “Innovation and Invention in Medical Devices: Implantable Defibrillators”. Workshop of the Roundtable on Research and Development of Drugs, Biologics, and Medical Devices, Board on Health Sciences Policy. Wyndham City Center Hotel, 1143 New Hampshire Avenue, N.W. Washington, D.C. 17 – 18 February 2000. Conference Presentation.

Sutter, John D. “Scientists work to keep hackers out of implanted medical devices.” CNN Tech, CNN.com,16 Apr. 2010. Web. 24 Sept. 2012.





Dangerous Drive-by Downloads: Protecting yourself with NoScript

27 09 2012

by John Richards

The vast majority of internet users can be placed in to one of two categories; internet users who are in a perpetual state of fear that they will be victimized by a malware attack, and internet users who believe they are not at any risk of being victimized by a malware attack because they have antivirus software installed on their computer. Users in the second category are not using the internet securely, and those in the first category are neither using the internet securely or, due to their fear of malware, effectively.

According to Kevin Parrish of tomshardware.com, 17 percent of global internet users either do not have antivirus software installed, or it is installed but disabled. In the United States, the percentage of users who are completely unprotected is even greater, at 19.32 percent. (Parrish) Let’s be charitable and assume that all our users in both categories have antivirus software installed on their computer and that it is

  1. A reputable product, and not itself malware
  2. A well designed and effective product
  3. Up to date with the latest virus definitions

These users are only protected, assuming their antivirus software operates at a 100% rate of success, from malware that has already been identified by antivirus companies and written in to their definitions and sent out in updates to users. These users are still vulnerable to zero-day exploits.

One way for malware to infect a computer system is via drive-by download. According to SecurityNewsDaily Staff “Drive-by downloads are malicious pieces of software that are downloaded to a computer, tablet or smartphone when the user views a compromised Web page or HTML-based email message. In many cases, the malware will be automatically installed on the system.” (SecurityNewsDaily Staff)  The plugins that initiate the drive-by-download can be as small as 1 pixel, making them essentially invisible. How can a typical internet user with little knowledge about or skills related to information security easily protect themselves from many (not all) drive-by download attempts? The Firefox NoScript extension.

NoScript will by no means protect internet users from all possible malware infections (nothing will) but it is a simple easy to use means of significantly reducing your exposure to malware without requiring knowledge and skills in information security. According to noscript.net, the NoScript Firefox extension “provides extra protection for Firefox, Seamonkey and other mozilla-based browsers”, “allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice”, and “provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.” (“noscript.net”)These features combine to greatly decrease a user’s chances of being infected by malware that uses plugins to perform a drive-by download.

NoScript can be downloaded and configured on your Firefox browser in

  1. Navigate to www.noscript.net
  2. Click the big green “Install” button on the middle left side of the screen
  3. A dialogue box will appear that says “Firefox prevented this this site (noscript.net) from asking you to install software on your computer. Click “Allow”
  4. When the download completes, a popup window will remind you to only install add-ons from authors whom you trust (an excellent idea). Click “Install Now”
  5. A window will tell you that NoScript will finish installing when you restart Firefox. Restart Firefox.

Now when you go to a website that you have not allowed to run scripts, instead of the scripts running automatically you will see something like this:

 

By clicking on the options button in the bottom right corner you can temporarily or permanently allow scripts on the page, thereby easily viewing all content that requires plugins.

___________________

“NoScript.” noscript.net. Inform Action Open Source Software, 2012. Web. 25 Sep 2012. <http://noscript.net/&gt;.

Parrish, Kevin. “1 in 6 Windows PCs Have Zero Antivirus Protection.” tom’s hardware the authority on tech. N.p., 31 May 2012. Web. 25 Sep 2012. <http://www.tomshardware.com/news/M,15826.html&gt;.

SecurityNewsDaily Staff, . “Drive-By Downloads: How They Attack and How to Defend Yourself.” Security News Daily. N.p., 18 May 2012. Web. 25 Sep 2012. <http://www.securitynewsdaily.com/1876-driveby-download-definition.html&gt;.





More Information Security Awareness programs

26 09 2012

by David Munyaka

This blog focuses on the United States but of course most, if not all, of the cases mentioned in this blog may happen in other countries as well. Government institutions spend a lot of money in trying to operate government information system in the most secure way possible. This is because the government stores a lot of information about its citizens such names, social security numbers, State ID numbers, passport numbers, current residences, occupations etc. The government has to protect all this information.  If the government was to fail in protecting citizens’ information in various databases, the government would also have failed in its duty to protect its citizens. For this reason, among other reasons, the government spends a lot of money making sure that this information does not end in the wrong hands.

Private institutions such as hospitals, schools and financial institutions spend large amounts of money every year to protect patients’, students’ and clients’ information respectively. The success of a business relies a lot on how well a business is able to protect its clients’ information. Even laymen who may not be so concerned about information security will discontinue their membership with an institution that suffers security breaches and security violations quite often. For this reason private institutions spend huge amounts of money to protect clients’ information.

What does a layman do to protect his or her own information?

Well a few examples may help. How often do you hear an individual on the phone placing an order for an item or service on the phone? In some cases people will read out the credit card information out loud especially when they believe that the people in their proximity are trustworthy.   I concur that this may not happen very often but it does happen. Two vulnerabilities come to mind—the person who overhears these conversations may want to use the information and also the person on the other end may end up using the credit card information for his/her own needs. All that is required in most cases to make a purchase over the phone is name, credit card number, expiry date and depending on the card sometimes the Card Security Code.  But let us assume that may be making phone purchases in the manner described above is not common enough to cause problems and that people are cautious when making purchases.

Well, what about when one is on a job search? Even though most of the applications are online (for the sake of this blog the assumption is that the online applications are well secured) but also some are on paper. For example, if one needs a job at a restaurant especially in this economy,   one job application may not be sufficient. So one may apply online or one may decide to drive around town and fill out hardcopy applications at different restaurants. In those applications they ask for information such as Name, physical address, previous employers, and yes even social security numbers.  This information is seen by most of the employees who already work at the restaurant (most of who do not fall under the “need to know” category). These applications with this information lie at some corner in the restaurant waiting for the store manager to review them. The point here is so many people can see private information (such as social security numbers) even though some of these people are not the intended recipients of the job applications.

Online purchases—customers will sometimes buy items online from stores whose reputation they may not know. In the case of a fictitious online store, one may lose thousands of dollars if their credit card information is used by someone else, but even worse a persons’ identity depending on how much information they provide. Other undesirable practices such as sharing of passwords are also common.

These examples are just to show that while the government and other private institution are spending large amounts of money making sure that our information is safe, we may be generously handing the same information to criminals. Even with major scientific advancements in information security, information will not be safe unless there is more awareness about the serious ramifications that are brought about by similar unsafe practices.





Smartphone security

24 09 2012

The concept of the cellular phone was not something new. In a sense, portable radios which have been in use since 1921 can be defined as early cellular phones (1)(4). In 1947, cellular phones were developed as mobile car phones, a concept created by Bell Laboratories. However, it not until 1973 that the world was first introduced to the cellular phone we know today. Conceived by Motorola, the first cellular phone combined the idea of the car phone with modern technology to make the phone fully portable (1). With each passing decade, cellular phones began to advance greatly, technologically surpassing its predecessors and rendering them obsolete. Today they are basically mini computers or smartphones. Smartphones are defined as “a device that lets you make telephone calls, but also adds features that you might find on a personal digital assistant or a computer” (3). With the new capabilities and growing access to the Internet, smartphone security has become a growing issue. Smartphones use their own specific network protocols to send and receive data, either by phone calls, web browsing, file transferring, etc. (5). These protocols include General Packet Radio Services (GPRS), Enhanced Data GSM Environment (EDGE), Universal Mobile Telecommunication Service (UTMS), Wideband Code-Division Multiple Access (WCDMA) and others. Due to the fact that these protocols are wireless they are highly susceptible to many security vulnerabilities. One such vulnerability is the “Evil Twin” attack. An “Evil Twin” attack occurs when a hacker makes a fake server with a legitimate hotspot service identity; so that when a user connects their information can be intercepted (6). The improvement of security for smartphone network protocols is imperative to prevent these kinds of attacks; a good example can be seen in the upgrade from IPv4 to IPv6 and IPsec.

Smartphone viruses have not been as common as computer viruses even though they are essentially the same thing, executable files (7). This is because unlike computer operating systems which are mainly Microsoft products, smartphones vary in operating systems, software, and hardware. Also these viruses can only be spread to phones that have access to internet downloads, Bluetooth connection, and multimedia messages. The first smartphone virus called, Cabir, was created by malware developers to test its capability (7). Although it infected a small number of Bluetooth enabled phones, an undeniable statement was made that smartphones were not invincible to viruses and other security risks. Smartphone viruses have the capability of deleting contacts, calendar appointments and spread by sending infected multimedia messages to all your contacts. As smartphones continue to grow in popularity the threat of wide spread viruses rises (7).

To improve network and software security certain steps must be taken. The improvement of network protocols such as GPRS through encryption is paramount. German computer engineer Karsten Nohl deciphered the algorithm used by several telecommunication companies to encrypt mobile Internet traffic (8). He also discovered that several companies do not encrypt their digital data at all.  These improvements should be made along the same lines as IPv6 and IPsec, which incorporated authentication and encapsulation. To improve software and operating systems security, patches for mobile operating systems should be kept up to date. Several companies have developed virus detection software for detecting and removing viruses found on a phone. To prevent viruses from infecting your phone via Bluetooth, turn off Bluetooth broadcasting. By using these methods and others, smartphone security can be improved.

_____________

(1)  “Cell Phone History.” . Oracle ThinkQuest, n.d. Web. 18 Sep 2012. <http://library.thinkquest.org/04oct/02001/home.htm&gt;.
(2)  “History of Cell Phones.” . N.p., n.d. Web. 19 Sep 2012. <http://www.global-source-mkt.com/cellphonefacts.html&gt;.
(3) Cassavoy, Liane. “Cell Phones.” . N.p., n.d. Web. 18 Sep 2012. <http://cellphones.about.com/od/glossary/g/smart_defined.htm&gt;.
(4) Brian, Marshall. “How Cell Phones Work.” . N.p., n.d. Web. 16 Sep 2012. <http://www.howstuffworks.com/cell-phone.htm&gt;.
(5) Coustan, Dave. “How Smartphones Work.” Network Protocols. N.p., n.d. Web. 14 Sep 2012. <http://electronics.howstuffworks.com/smartphone3.htm&gt;.
(6) Coustan, Dave. “How Smartphones Work.” The Future of Smartphones. N.p., n.d. Web. 14 Sep 2012. <http://electronics.howstuffworks.com/smartphone5.htm&gt;.
(7) Layton, Julia. “How Cell-phone Viruses Work.” . N.p., n.d. Web. 16 Sep 2012. <http://electronics.howstuffworks.com/cell-phone-virus.htm&gt;.
(8) O’Brien, Kevin. “Hacker to Demonstrate ‘Weak’ Mobile Internet Security.” The New York Times. N.p., n.d. Web. 18 Sep 2012. <http://www.nytimes.com/2011/08/10/technology/hacker-to-demonstrate-weak-mobile-internet-security.html&gt;.

 





Trojan.Taidoor: A Modern Chinese APT

23 09 2012

“We must use all types, forms, and methods of force, and especially make more use of nonlinear warfare and many types of information warfare methods … to use our strengths in order to attack the enemy’s weaknesses, avoid being reactive, and strive for being active.” [1]

In 1995, China’s Major General Wang Pufeng stated the nation’s position on information warfare and it was clear that China was willing to utilize technology as an attack vector. This statement was made 14 years before USCYBERCOM was established to “ensure US and allied freedom of action in cyberspace, while denying the same to [their] adversaries” [2]. USCYBERCOM’s mission statement is essentially a more subtle version of Major General Wang’s declaration stated much further into the future, only delivered much later.

China has viewed cyberwarfare and advanced persistent threats (APT) as a direct means of militaristic defense and offense since the late 1990s and grew to utilize cyber attacks to steal information and “leapfrog” [1] Western innovations and advancements. Today, China is not only behind or suspected of being behind cyber espionage operations, many organized Chinese groups have been responsible for politically-motivated attacks against Taiwan, Tibet, and the United States to name a few.

In 2011, a series of attacks named Trojan.Taidoor restructured their 3 year-old strategy. Trojan.Taidoor, more commonly known as Taidoor, began focusing on attacking think tanks involved with US and Taiwanese affairs and the private sector rather than a set of unrelated organizations. (Fun fact: Taidoor=台门 = door into Taiwan) 2011 also saw an influx in frequency of attacks including a peak in September 2012 when the US-Taiwan Defense Industry Conference was held [6].

Taidoor’s technical specifications include the expected email attacks as the breach component where some are specially crafted for specific targets and others are more generalized phishing attempts [5]. Once Taidoor’s targets open attachments in the attack emails, which are generally in xls, scr, pdf, or doc formats, a dropper is created in the target’s file system. The dropper then replaces it with the malicious back door and continues onto the final payload [4]. From there, Taidoor’s back doors communicate with the command & control servers generally located near the attacker to reduce suspicion.

However, despite Taidoor’s seemingly more focused attacks since 2011, their motivations remain unclear and it does not appear that any security firms have identified exactly what the attackers behind Taidoor do with compromised information. When Symantec traced the activity of Taidoor’s command & control servers, they found that the attackers engaged in live interactive sessions to traverse the compromised machine. The attackers seem to make attempts to find valuable documents without any clear methodology or strategy [5], a common trend in many APTs. While some APTs utilize zero-day vulnerabilities, several major Chinese APTs including Taidoor only exploit known Adobe or Microsoft vulnerabilities. As such, attackers can be fairly certain that their victims are not the most technologically advanced given their negligence to patch extremely vulnerable software.

Taidoor’s frequency, targets, and technical details are similar to many other instances of cyberwarfare and espionage linked to China such as Luckycat. Today, China has been identified as the source of many attacks similar to Taidoor where the primary goals are to steal information or to gain competitive edge against other nations. China has an extensive past of recognizing the power of cyberwarfare and today we see the products of that history.

“Red Hackers” or “Chinese Honkers” [3], as media outlets have named them, are some of the most active members of the global cyberespionage and hacker communities and there seems to be no end in sight to their or any other nation’s cyberwarfare activities. In conjunction with ever-advancing technology, cyberwarfare is undoubtedly an area demanding increased attention.

_____________

[1] Bilio, Charles, and Welton Chang. “CYBER WARFARE AN ANALYSIS OF THE MEANS AND MOTIVATIONS OF SELECTED NATION STATES.” http://www.ists.dartmouth.edu. INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE, Dec. 2004. Web. Sept. 2012. <http://www.ists.dartmouth.edu/docs/cyberwarfare.pdf&gt;.

[2] “U.S. Department of Defense, Cyber Command Fact Sheet”. 21 May 2010. 9 Sept. 2012. <http://www.stratcom.mil/factsheets/Cyber_Command&gt;.

[3] Hille, Katherine, and Joseph Menn. “Hackers in frontline of China’s cyberwar.” Financial Times. N.p., 13 Jan. 2010. Web. 9 Sept. 2012. <www.ft.com/cms/s/2/5fbfe99a-0026-11df-8626-00144feabdc0.html#axzz26bpKpser>.

[4] “The Taidoor Campaign: An In-Depth Analysis.” Trend Micro. Trend Micro Incorporated, 23 Aug. 2012. Web. 10 Sept. 2013. <www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf>.

[5] “Trojan.Taidoor takes aim at policy think tanks .” Symantec Security Response. N.p., 27 Mar. 2012. Web. 9 Sept. 2012. <www.symantec.com/security_response/writeup.jsp?docid=2012-060716-0537-99>.

[6] Doherty, Stephen, and Piotr Krysiuk. “Trojan.Taidoor: Targeting Think Tanks.”Symantec. Symantec Security Resopnse, n.d. Web. 9 Sept. 2012. <www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf>.





Should Cybersecurity be regulated?

14 09 2012

by Will Liu

Introduction

This past year has seen representatives from both sides of the aisle present multiple Cybersecurity bills. The numerous bills highlight the differences in philosophies in regulating Cybersecurity in America. Unable to resolve their differences and reach a compromise there has been limited progress made so far this year in getting legislation passed. The most recent Cybersecurity bill was filibustered by a Republican Senate this past summer. (SCHMIDT) The failures of bills presented in the House and Senate highlight the struggle in finding a delicate balance between too much regulation and too little regulation. Should Cybersecurity be regulated and to what extent should the government get involved in the activities in private enterprise?

Existing regulation

A majority of states in the United States have passed laws governing disclosure to customers in the event of an information breach. The analysis of such laws can provide sample data and case studies to analyze the effectiveness of legislation to regulate Cybersecurity at the national level. Companies are hesitant to publicly disclose incidents of information breaches due to the negative press and devaluation of their companies that occur. Furthermore, executive compensation is often tied to stock performance. Managers may have financial incentives to keep incidents under wraps especially if they have an equity stake in the company.

A majority of states have responded by enacting laws to require companies disclose to customers whenever their personal information is compromised.  California was one of the first states to enact legislation pertaining to data breaches and most states have modeled their laws based on California’s. An analysis of state data breach laws provides a good extrapolation on whether Federal Cybersecurity legislation will be beneficial as a whole or merely increase costs to businesses, and society as a whole. Since state data breach laws have been around for some time researchers have already begun analyzing data regarding the success of such laws. Researchers at the Heinz College in Carnegie Mellon have found that the “adoption of data breach disclosure laws reduce identity theft caused by data breaches by 6.1 percent, on average.” (Romanosky, Telang, and Acquisti) The laws also helped to “reduce the number of consumer records lost per breach, by about $800 on average, a change of 34 precent.” (Romanosky, Telang, and Acquisti) The researchers have also found that the additional benefits derived from society as a whole from the regulation outweighs the additional costs borne by the companies.

The unknown costs of Cybercrime

In order to fully analyze the cost of Cybersecurity regulation and the possible positive or negative externalities to the public, it is important to have accurate figures. An investigation conducted by pro publica revealed that the $1 Trillion and $250 Billion cost to cybercrime often cited by politicians, and government officials have been based on studies with poor methodologies. (Maass and Rajagopalan) Those studies were conducted by McAfee and Symantec companies who have a financial interest in inflating the numbers. Researchers questioned the methodologies taken to extrapolate the figure and mentioned that the corporate reports published by Symantec and McAfee would not pass the rigor of academia. (Maass and Rajagopalan) Government officials also have an incentive to inflate the numbers, government leaders and officials at agencies such as the NSA, or FBI often cite such large costs to Cybercrime as a means to support larger budgets for their respective agencies. Since important decision makers are citing poorly constructed numbers, it is not surprising that companies are worried that politicians will draft Cybersecurity bills that have a huge regulatory burden, especially if the lawmakers drafting such bills are basing their decisions on incorrect figures that maybe multiples higher than the actual cost of cybercrime.

With high profile incidents such as the information breaches at Linkedin, and Sony, it is easy to support additional Cybersecurity regulation to help reduce the occurrence of such incidents. However, Cybersecurity is a complex issue that cannot be solved through regulation only. The private industry and government face different priorities. Government agencies and law enforcement may devote tremendous resources towards conducting an effective and fair investigation that catches the criminals, or preventing classified information from stolen. In the private sector, it may be fine for occasional information security breaches to occur as long as the risks are managed and costs minimized.

With regards to Cybersecurity regulations governing breaches on information, there should be a Federal bill enacted to standardize information disclosure to customers. Currently there is a hodgepodge network of laws enacted by states each with a slight variation. Enforcing a Federal law superseding state disclosure laws will help companies standardize response procedures. The law should also take one further step and create a mandatory reporting mechanism for companies to disclose whenever there are Cybersecurity incidents, including the costs of responding to such incidents, attack methods, and the damage caused. Increased transparency will enable researchers more data to produce better economic models to predict the aggregate cost of cybercrime to the United States.  Furthermore, the additional information disclosed will allow other companies awareness of the current exploits and attack methods utilized by hackers. Such regulation would only impose a minimal cost to companies; it only requires that companies disclose Cybersecurity incidents by mandating such reporting. It also motivates enterprises to secure their systems to prevent such public embarrassments.

___________

Maass , Peter and Megha Rajagopalan. “Does Cybercrime Really Cost $1 Trillion?” 1 August 2012. Pro Publica. Electronic. 11 September 2012.

Romanosky, Sasha, Rahul Telang, and Alessandro Acquisti. “Do Data Breach Disclosure Laws Reduce Identity Theft?” Journal of Policy Analysis and Management (2011): 256-286. Electronic.

SCHMIDT, MICHAEL S. . “Cybersecurity Bill Is Blocked in Senate by G.O.P. Filibuster.” 2 August 2012. New York Times. Electronic. 10 September 2012.





MERIT Interactive: Insider Threat Cyber Training

10 09 2012

On hearing that it’s time for another information security training session, the common response from employees in many organizations is less than enthusiastic.  Perhaps there is a rolling of the eyes, a comment about what a waste of time the stupid videos are, and then a defeated shrug of the shoulders in recognition of the fact that the session is not optional.  From the get go, this training session has little chance of success in delivering any sort of learning outcome.  But what if the reaction was positive?  What if the training session was viewed as an interesting activity that was provided by the organization and gladly attended to while on the clock?  By making the training session into something that is perceived as being enjoyable and worthwhile, organizations have a much better chance of getting employees engaged in the sessions in a way where those employees will best absorb the learning objectives.  This sort of alignment of interests between the trainer and trainee is the aim of the MERIT Interactive training system that is currently being developed by the folks at CERT.

Cappelli, Moore, and Trzeciak explain that MERIT (Management and Education of the Risks of Insider Threat) is a model which “describes the profile of an insider IT sabotage attack by identifying common patterns in the evolution of the incidents over time” (p. 27)[1].  CERT has been collection information on cases of insider threat for roughly a decade, and the number of cases in their database is currently over 700 (p.7)[2].  The MERIT Interactive project fuses the core principles of MERIT with an attempt to create a training system that is based on playing a video game.  Greitzer explains that this gaming platform “immerses players in a realistic business setting from which they make decisions about how to prevent, detect, and respond to insider actions, and see how their decisions impact key decision metrics”[3].  Greitzer goes on to state that “team orientation is critical because organizations typically identify these problems at an organizational enterprise level rather than at an individual manager or department level”[4].

It follows that another important feature of MERIT Interactive is that participants take part in a variety of roles in any given scenario in the session.  This helps to create a better sense of the bigger information security picture, and of the larger structure of an organization and its variety of roles and functions.  Cappelli, Moore, and Trzeciak explain that for this very reason, they “created system dynamics models representing the patterns, trends, and evolution of insider incidents, to provide a fuller understanding of indicators, precursors, and effective proactive and reactive countermeasures in the face of a possible attack” (p. 334)[5].  The MERIT Interactive prototype was built on this foundation of system dynamics modeling, and while it is focused on insider IT sabotage, there is also the option of expanding and adapting it to include additional topics.  In fact, this flexibility has been intentionally built in to the system from the beginning.  Cappelli, Moore, and Trzeciak explain that “while the focus so far has been on insider IT sabotage, the design is, to some extent, data-driven allowing the implementation of additional scenarios without necessitating changes to the code” (p. 343)[6].  This being the case, MERIT Interactive appears to have a great deal of potential as an effective training tool that may be adapted to a variety of implementations.

If MERIT Interactive wasn’t enough, the folks at CERT have also created a scenario-based training environment called XNET, where “interactive, team-based exercises re-create complex actual insider threat scenarios and challenge participants to prepare for and respond to insider threat incidents”(p. 304)[7].  While an explanation of XNET is beyond the scope of this post, suffice it to say that there’s quite a bit of research and development in cyber training going on at CERT.  The MERIT Interactive training system appears to be a sensible solution that is long overdue.  The videogame design gives it a greater likelihood of actively engaging users in training sessions, and the background in real insider threat case data and system dynamics modeling make it a serious tool for trainers to effectively convey real world  learning objectives.  It will be interesting to see what MERIT Interactive will look like once it emerges as a finished product, and what other aspects of cyber training it will ultimately implement.


[1] D.M. Cappelli, A.P. Moore, and R. F. Trzeciak, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison Wesley, Upper Saddle River, NJ (2012).

[2] Ibid.

[3] F.L. Greitzer, et al., “Combating the Insider Cyber Threat,” Security & Privacy, IEEE, vol. 6, no. 1, Jan-Feb 2008, (p. 61-64).

[4] Ibid.

[5] D.M. Cappelli, A.P. Moore, and R. F. Trzeciak, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison Wesley, Upper Saddle River, NJ (2012).

[6] Ibid.

[7] Ibid.