Cisco Blogs


Cisco Blog > Security

Wikileaks and the Economics of Information Disclosure

Wikileaks.org is currently experimenting with the economics of information disclosure. As of January 21, the site was offline, soliciting donations that will assist its operators to continue to provide service. That service, of course, is the coordinated disclosure of secret information that once belonged to governments, corporations, and other organizations, and the subsequent efforts to ensure that this information remains public.

When discussing the Wikileaks operational suspension, it is clear to see that there can be both positive and negative aspects to such a disclosure policy. This is to be expected — information disclosure is a risk decision, and as with all risk decisions, there are issues of risk tolerance and risk acceptance that differ among organizations. How Wikileaks chooses to approach information handling and disclosure should give some insight into their motivations and direction. But it is especially interesting to see some of the economic factors behind Wikileaks, some of their operational challenges, and what kinds of risks they are preparing to face.

Read More »

Exploring a Java Bot: Part 3

January 19, 2010 at 1:18 pm PST

Before we begin part 3 in this series, let’s review what we’ve covered so far. In the first post we learned how this bot was discovered and some basics about botnets. In the second post we covered botnet fundamentals like command and control (C&C) and various other capabilities. In this post we will examine some of the offensive features incorporated into a botnet designed to launch attacks and maintain control of hosts (aka victims). First we will discuss how botnets spread and then we will look at flooding and how it’s implemented in this bot.

There are two main ways malware spreads. It’s important to note that these two methods are not mutually exclusive. The first method, made famous by the Morris worm, involves targeting a network-based vulnerability; the author designs an exploit to spread his malware. Once the malware takes over a machine it then infects other machines. Every time the binary moves from one machine to another the botnet has the potential to see exponential growth. Most vulnerabilities only affect a specific operating system at a specific range of patch levels. Malware of this nature often hits big and then its growth rate takes a steep dive as patches become available and as malware is removed. Once the vulnerability is patched, the malware must adapt or accept a shrinking attack surface. Two recent examples of this method are Conficker and Slammer. It is important to note the distinction between the growth rate slowing down and the number of compromised machines. There are still countless machines connected to the Internet running both worms. Even as the growth rate approaches zero, many, many computers have already been infected and continue to run the malware. In two days time on a single Intrusion Prevention System (IPS) we saw over 178,000 slammer attacks.

An attacker simply needs to trick an unsuspecting user into running a binary that is under the control of the attacker. This attack vector is known as a trojan horse. A malware author would package his wares as a link from a friend, a new game of interest, or even a program to create keys for pirated software, etc.

Read More »

Tags: , , , ,

Security – Who is Responsible?

Do you view your security posture in the office as more or less important in comparison to your residence? And how does that compare to the personal security profile that you exercise for you and your family? Who should be shouldering the security responsibility? I posit — you are responsible. And I would add that you also need to hold yourself accountable.

At work you may rely on yourself. If you are fortunate to work for a company with resources focused on security, you may, dare I say, share reliance with a few groups. These groups include the “information security” team who attempts to keep information safe (be it data, network, laptop or smart phone), the “physical security” team who keeps your building safe from intruders, and the local “industrial police force” responsible for keeping your person safe and secure. Such reliance is appropriate. In each instance the person or entity you are relying on the most is also relying on you at least as much, and often times more so.

An example from the physical world: when you ride public transport you rely on the operator of the vehicle to drive in a safe and secure manner and obey the “rules of the road.” These rules are designed to keep order as we meld in amongst the chaos we affectionately call “traffic.” The operators are also relying on you to make the right choices (how to enter and exit, pay fares, sit and stand, etc.) and to understand the consequences — be they intended or unintended — of your choices should you not follow the rules. This is the accountability part of the equation — you own the end result of your choices and actions.

Throughout my 30+ years involved in the practice of security it has been my experience that too often people ascribe responsibility for their security to others. When is the last time you heard someone say, “It is my responsibility to be secure! It is my responsibility to maintain security!” or conversely, “Today I am going to be insecure!” It just doesn’t happen. Though the reality is that every single day my actions demonstrate my desire to be secure and maintain security, and perhaps yours do as well. And yes, it has also been my experience that occasionally I’ve made choices which have caused others to say, “What was he thinking?” and conclude, “There wasn’t any thought process engaged.” I will try to keep those instances to a minimum. However, we all bear responsibility for our own security.

Let me share a few of my thoughts:

Read More »

Encryption is Essential, Except When it Isn’t

Insurgents in Iraq and Afghanistan used satellite recording software, commonly used to capture satellite broadcasts, to intercept video from US military warplanes and drones. In the aftermath of the Wall Street Journal’s publication of this information, many security professionals have weighed in to offer their criticism of the US military’s oversight, and we have also provided our thoughts on the matter in our own Cyber Risk Report: Concerns Raised over Unencrypted Military Video Feeds.

Certainly the military should be encrypting this content, right? We have the technology, and it’s sensitive information, so there shouldn’t be any argument. The CIA already encrypts these videos for all of their drones, according to Gartner analyst (and former National Security Agency analyst), John Pescatore. Still, Bruce Schneier has dissented in a way — he does not argue that the feeds should be unencrypted. Rather he offers that encryption standards designed to thwart resourceful nation states are not necessary against today’s opponents with far fewer resources (but more advanced technology readily available).

What’s the verdict then: encrypt, or not?

Read More »

A Culture Shift: IT Security to Smart Grid Security

With the global excitement and opportunity of the Smart Grid, a lot of historically IT-focused companies, including Cisco, are entering the market. It’s important to note that there are unique characteristics of the grid when attempting to apply IT security solutions. In this post I’ll focus on the primary goal of power generation and delivery: reliability. In subsequent posts I’ll discuss other security requirements of the grid (such as integrity, authentication, and confidentiality), and how we can apply lessons learned from the IT sector.

To better understand the culture shift from securing IT systems, we need to clarify the focus of grid security. In the IT world, we often focus on protecting information. For example, in United States Department of Defense circles, security is usually referred to as Information Assurance. Smart Grid security (usually called “cyber security,” or just “cyber” by electric sector practitioners) however, concerns itself with making sure that systems continue to operate in the case of a security event. An equivalent term for the grid would be “Continuation Assurance.” The smart grid community considers the potential to affect system reliability a cyber security issue, from disgruntled insiders to operator error or a deliberate attack from the outside that affects any portion of the grid – substations, data centers, operations centers, neighborhood area networks, and eventually homes. The effectiveness of cyber security measures will be judged mainly on their contribution to keeping the systems running!

Why is reliability key to the grid?

Read More »