Category: News

“The exposure of these systems to malicious actors in cyberspace is greater than in the past, because these systems are more often connected to the Internet,” Purdy said in an interview with SecurityFocus.

Because SCADA and other types of control systems regulate real world activity, such as the amount of water flowing though a dam or the electricity flowing through a transformer, their lack of security has worried experts for some time. Yet, in the past few years, attacks by external sources, such as online attackers, have jumped to 70 percent of incidents involving SCADA systems, up from 31 percent of incidents recorded between 1980 and 2001, according to a paper published by the British Columbia Institute of Technology. Sources interviewed for this article maintained that there have been SCADA system attacks, but such incidents are almost never made public. And U.S. authorities investigated online reconnaissance of U.S. critical infrastructure systems by attackers thought to be linked to al Qaeda in Pakistan, Saudia Arabia and Indonesia. However, other breaches have happened and the industry has paid the price for secrecy, said Lori Dustin, vice president of marketing and services for control system maker Verano.

Nearly 1,700 of the 3,200 power utilities have some sort of SCADA system in place, according to a recent survey by industry researcher Newton-Evans. The older networks of control systems have not adapted well to the needs of a deregulated power industry, Samuel Varnado, director of the Information Operations Center at Sandia National Labs stated in written testimony to the Congressional subcommittee. Sandia has demonstrated a way to use SCADA system vulnerabilities to turn out the lights in most major cities, Varnado told the subcommittee last week.

In 2006, the DHS plans on releasing a document outlining the best practices for control-system operators through the Cybersecurity Protection Framework.

http://www.securityfocus.com/news/11351

“Certainly, the criminal behavior that happens today is the greatest risk,” said Jonathan Zar, senior director at SonicWall Inc. and chairman for outreach at VOIPSA, which has more than 100 members from the hardware, software and telephone carrier businesses.

In an initiative reminiscent of the industry’s lobbying campaign leading up to the ineffectual CAN-SPAM Act of 2003, VOIPSA is trying to direct policy-makers’ attention away from the technologies that enable new headaches for users and turn the spotlight on human behavior. The distinction between the human action behind threats to VOIP and their technical means is meant to dissuade policy-makers from imposing technology-related rules that could hinder growth and innovation in the industry.

“There is a policy and regulatory effort under way, and a number of us have been concerned that that was not informed,” said Zar in Sunnyvale, Calif. “We want it to be secure, but we don’t want it to be as secure as East Germany was under the Stasi.”

In addition to the vulnerabilities inherited from data networking, a number of VOIP-specific threats confront calls carried over IP. Privacy advocates, who widely rate Congress’ action to reduce e-mail spam as ineffective, argue that more needs to be done to protect consumers. “What often is missed with social irritants like spam and telemarketing is that they are a product of privacy violations,” said Chris Hoofnagle, director and senior counsel at the Electronic Privacy Information Center, in Washington.

Lessons learned from the ongoing problem of e-mail spam likely will help the industry reduce the risks to VOIP, said Ray Everett-Church, chief privacy officer and senior consultant at Philadelphia-based ePrivacy Group. “With the current deployment of VOIP systems, you’re not seeing nearly the risk of spam that you saw very quickly with the rise and popularity of e-mail,” Everett-Church said.

http://www.eweek.com/article2/0,1895,1876547,00.asp

Speaking at the Biometrics 2005 conference in London, Bernard Herdan, chief executive of the U.K. Passport Service (UKPS), said Thursday that the passports would be phased in by February 2006 and completed by July 2006.

“We have to make sure that as we cross from digital production to e-passport production that the technology works in all other countries,” Herdan said.

The move may have been spurred by U.S. demands for all countries within its visa-waiver program to have a machine-readable biometric passport by October 2005. Existing U.K. passport holders will not need to have their passports updated, but they will have to comply with the new guidelines when they renew or replace their passports, Herdan said.

E-passports will incorporate a special chip that stores basic data, including the passport holder’s name, and date and place of birth. U.K. ID cards will be issued with the passports, which will contain finger and thumb images; two iris images; and facial images. These will also be stored on a National Identification Register. Herdan explained that “this is all part of a more holistic approach to move towards more rigorous identification.”

The chips will be embedded in the front cover of the passport. New applicants will also face an interview for further authentication.

“We believe there is a pressing need for an improved integrated system of identity authentication. One part of this is the Personal Identity Project, through which information supplied by passport applicants is checked against information held on private and public sector databases,” Herdan said. “Facial recognition has to be the direction the travel industry is heading in,” he added. “We want to move to an environment where airlines are doing pre-board checks, but our first step is to secure our borders.”

http://news.com.com/Full+biometrics+ID+plan+to+reach+U.K.+by+2009/2100-7348_3-5905430.html?part=rss&tag=5905430&subj=news

– Disaster recovery/business continuity
– Employee awareness programs
– Data backup
– Overall information security strategy
– Network firewalls
– Centralized security information management system
– Periodic security audits
– Monitoring employees
– Monitoring security reports (log files, vulnerability reports and so on)
– Spending on intellectual property protection

This list further reinforces the reactive nature of information security. Awareness programs often score high as a strategic priority because they’re relatively low-cost. One should expect number 10 on this list will shoot up in priority next year, given the steady stream of identity thefts and other major information crimes.

http://www.csoonline.com/read/100105/survey_topten.html

Issues:

Intellectual property left on a laptop that’s gone missing.
Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies.
Phishing scams by the thousands: puddle phishing, Wi-phishing, pharming.

We haven’t even mentioned good old viruses and worms, but those still work too.

To borrow from forestry parlance, information security is an escaped wildfire.And according to “The Global State of Information Security 2005,” a worldwide study by CIO, CSO and PricewaterhouseCoopers (PwC), you are the firefighters,desperately trying to outflank the fireline and prevent flare-ups and firestorms.It’s a thankless, impossible business.

In this environment, just holding your ground is a victory, and that’s what you’re doing.

This is the third annual edition of the survey—once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Each year the data has shown incremental improvement in the tactical battle to react to and fight off security incidents.

At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place.

There’s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.

Just 37 percent of respondents reported that they had an information security strategy—and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that’s not a good thing. “When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with PricewaterhouseCoopers. “Right now, there’s hardly a fire code.”

Lobel compares the global state of information security to Chicago right before the great fire. “Some folks were well-protected and others weren’t,” he says, but when the ones that weren’t protected began to burn, the ones that were protected caught fire too. ”

Of course, with the survey’s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than “Everyone’s tactical; no one’s strategic.” Some respondents show signs of embracing a more holistic approach than others. Maybe even create a fire code so that if a cow does knock over a lantern,the whole city won’t burn.

http://www.csoonline.com/read/100105/survey.html

Here are two theories, both of which probably play some role: One, the regs are confusing and difficult to comply with.

Companies don’t fear any serious repercussions for not complying with the regulations, either because the mandates are too vague to really be enforced, or the regulatory agencies aren’t devoting resources to enforcement.

Supporting the “lack of teeth” theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group.

Lobel offers a third factor: “There’s just a lot of regs for these guys to deal with.”

http://www.csoonline.com/read/100105/survey_compliance.html