Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Australian Government is getting serious about Information Security?

DSD's top 4 infosec strategies now mandatory for Australia government

The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".

These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.

The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements. 

In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".

This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month. As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures.

From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.

Australian Feds charge 17 year-old 'Anon' with four crimes

17-year-old suspected member of ‘Anonymous’ charged with unauthorised access to computer data

A 17-year-old youth appeared in Parramatta Children's Court on Friday (5 April 2013) to face charges relating to unauthorised access to computer data. The juvenile is suspected to be a member of the online issue motivated group "Anonymous" and allegedly committed serious offences on their behalf.

Commander Glen McEwen, Manager Cybercrime Operations, said the AFP takes any computer intrusion offences very seriously and remains committed to investigating offences that occur in cyberspace. "Protesting through computer intrusions and website defacements is not an appropriate method to raise public awareness about any issue," Commander McEwen said. "The AFP investigates various types of cybercrime and will continue to take a strong stance against these perpetrators."

Refer here to read more details.

AusCERT - Cyber Crime and Security Survey Report 2012

Over half of respondents have increased their expenditure on IT security in the previous 12 months

The recently released Cyber Crime and Security Survey Report 2012 conducted by CERT Australia, in partnership with the Centre for Internet Safety at the University of Canberra, is readily available from CERT Australia’s public website – see www.cert.gov.au.

It is highly recommended reading for IT & Information Security professionals within Australia.

Some 450 businesses were approached to participate in the CERT Australia Cyber Crime and Security Survey, from which the report was developed. It is suggested that you share the report with your IT colleagues (and vice versa).

The report highlights cyber security issues and may be suitable for referencing as external source - providing justification for funding of IT/control system security initiatives.

The inaugural Survey was designed to obtain a better understanding of how cyber incidents are affecting the businesses that form part of Australia’s systems of national interest – the businesses that partner with CERT Australia.


The survey consisted of 24 questions, both closed and open ended, to ascertain:

• business description
• types of IT security used
• types of cyber security incidents experienced, and
• industry reporting of incidents.

The findings from the survey provide a picture of the current cyber security measures these businesses have in place; the recent cyber incidents they have experienced; and their reporting of them.

Refer here to download the report.

What Security Issues Are Associated With Mobile Devices and App Development?

5 Mobile Security Trends and Actions to Consider

Governments are aggressively going mobile with new devices, app development projects and system integration efforts. Whether buying proven off-the-shelf products or developing mission-critical apps from scratch, there’s little doubt that the future interface for delivering customer service will be tablets and smartphones.

Estimates suggest that at least 50 percent of users will access the Web via mobile devices by the end of 2013. Meanwhile, many governments that implemented cloud-first policies over the past few years are developing new “mobile-first” edicts to match.

Indeed, tech experts described customer data landscape to business leaders with a triangular diagram containing three interacting puzzle pieces: cloud computing, mobile devices and security.

Some of these new apps are being acquired for public-sector workers to use on government-owned devices to improve efficiency. Other apps are citizen-centric, and they must be usable on the many new devices and operating systems now available and those coming soon.

So what security issues are associated with mobile devices and app development? Here are five mobile security trends and some actions to consider as you become more mobile:

More Mobile Data Than Ever

For years, sensitive enterprise data has leaked via USB drives and lost or stolen laptops, but the number of smartphones, tablets and other mobile devices has exploded.

Actions: Establish policies that encrypt mobile data on devices or keep all sensitive data off mobile devices. If accessing sensitive information is required, consider data loss prevention products and keeping all personally identifiable information on protected enterprise servers and off the endpoint devices.

More Mobile Malware

The bad guys are following the crowds, who are buying smartphones and tablets with more power than PCs of a decade ago. The DroidDream and Gemini malware attacks were launched in early 2012, and some call this the “Year of Mobile Malware.” Mobile botnets are also growing.

Actions: Mobile device management services can protect devices by locking down permissions and offering anti-malware software and tools. Training end users is also essential via formal awareness programs that explain how to think before clicking.

Growing Use of BYOD to Work

Some security experts see the BYOD trend as “bring your own disaster.” Nevertheless, one top industry expert predicted that 80 percent of global enterprises will adopt this approach by 2016.

Actions: Meet with business customers about mobile device preferences. Consider piloting BYOD in areas with nonsensitive data. Develop policies for the use of personal devices under different scenarios, even if some business areas opt out.

Authentication Complexity Growing

Despite the push for single sign-on, many enterprises still struggle with more credentials for more apps and devices. Users are tiring of more complex passwords, and the use of biometrics is growing.

Actions: Streamline credentials with federated identity management across government systems, mobile apps and legacy programs. Consider using federal health IT dollars as anchor tenants. Apply government policies to personal devices, if they store business data — after getting employee buy-in.

Mobile Platform Support Is Complex

Whether you’re writing apps for Apple’s iOS, Google’s Android, BlackBerry’s BES or Microsoft’s Windows 8, secure coding is hard work. One technology CEO said, “You’d be hard pressed to find application developers who actively try to mitigate against cross-site scripting attacks, SQL injection attacks and cross-site request forgery attacks.”

Actions: HTML5 is growing as an industry standard across mobile platforms — consider adopting it. Train staff in secure coding. And before deploying a code, test it for holes.

Final Thoughts

Government executives must consider having vendor partners manage specific services or assist with mobile activities. IT consumerization makes this a difficult area to keep up with. 

Please refer to National Institute of Standards and Technology issued draft guidance on mobile security for further details.

China Gets Serious about Grid Security

China announced its plans for a massive increase in smart grid security spending in an effort to contain risks that may arise from its aggressive smart grid expansion

What happened

Fears that it’s rapidly expanding electricity infrastructure may be vulnerable to security and cyber attacks prompted China to announce plans of staggering increase in smart grid security spending. Representing an annual compound growth rate (CAGR) of almost 45%, grid defense spend will grow from US$1.8b in 2011 to US$ 50b by 2020.

Background

A new report by the business analysts at GlobalData described China’s smart grid security situation as an anomaly due to the scale of expenditure when compared with that of other regions. For example, Europe and North America combined are predicted to spend a comparatively modest US$16b on cyber security during the same forecast period.

But to put things in perspective, the GlobalData research also offers the insightful observations on China’s grid security policy:

• China has a strained relationship with a number of nations in relation to cyber security.

• The United States, in particular, has on several occasions accused Chinese hackers of attempting to breach their power systems.

• China fears that these accusations may have fostered an environment of mistrust which may lead to retaliatory cyber-attacks on their own power infrastructure.

• China continues to experience rapid urbanization and expanding its smart grid, which directly results in increased exposure to cyber attacks.

And let us not forget the Stuxnet computer worm discovered in 2010. The Stuxnet example is arguably the most dramatic demonstration of the vulnerability of modern power grids to malicious cyber-attack.

According to Global Data, “the worm focused on 5 Iran-based organizations and was believed by many to be a deliberate attempt to disrupt the Iranian nuclear power program.”

Serious threats to securing the grid

A Pike Research 4Q 2011 report, entitled Utility Cyber Security: Trends to watch in 2012 and Beyond, identified the following threats to power grids everywhere:  

• One size doesn’t fit all: cyber security investments will be shaped by regional deployments. As an example, consider smart meters saturation in the US and, comparatively, versus EV adoption rates in the Middle East.

• Industrial control systems, not smart meters, will be the primary cyber security focus. Here, they refer to control systems such as transmission upgrades, substation automation, and distribution automation.

• Assume nothing: “security by obscurity” will no longer be acceptable. Using the example of the Stuxnet worm, assume attacks are a probability and not merely a possibility.

• Chaos ahead?: The lack of security standards will hinder action. No industry standards exist.

• Aging infrastructure: older devices will continue to pose challenges. While modern advanced metering infrastructure (AMI) devises have built in cyber security, some supervisory control and data acquisition (SCADA) systems are older and have no built-in security features.

• System implementation will be more important than component security. Cyber security works to protect a whole entity and attackers look for holes.

VIDEO: 36 websites selling credit card details shut down

Cybercrime is big business these days, in fact it's an industry


Authorities are taking action against those who are turning cybercrime into such a significant underground industry.


So it's not a surprise to find that criminals are embracing ecommerce. Sophos advised that users will be surprised to discover just how professional and legitimate criminal websites can appear.


The UK's Serious Organised Crime Agency (SOCA), working alongside the FBI and the US Department of Justice, has announced that it has seized the domain names of 36 websites used to sell stolen credit card information.


For instance, watch the following video to see footage of a website that was selling stolen credit card details.

U.S. power grid is a big & soft target for cyberattack

MIT study report shows security gaps widening, risk increasing as power nets improve

The "malicious attack from Russian hackers that cracked security on an Illinois water utility and destroyed one of its main pumps turned out to be what Wired called a "comedy of errors" after interviewing the prime suspect for a story that ran last week.

That doesn't mean utilities in the U.S. – especially electrical utilities – are not desperately vulnerable to attack.

The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.

U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.

The risk of a Stuxnet-like attack on utilities was dismissed by many security experts after the revelation that reports of a successful attack on the Illinois water utility hack were mistakes, the possibility that it is possible was not.

Current risks of cyberattack on electric utilities

• Loss of grid control resulting in complete disruption of electricity supply over a wide area can occur as a result of errors or tampering with data communication among control equipment and central offices.
  
  
• Consumer-level problems ranging from incorrect billing to interruption in electric service can be introduced via smart meter tampering.
  
  
• Commuting disruptions for electric vehicle operators can occur if recharging stations have been modified to incorrectly charge batteries.
  
  
• Data confidentiality breaches, both personal and corporate, can provide information for identity theft, corporate espionage, physical security threats (for example, through knowing which homes are vacant), and terrorist activities (for example, through knowing which power lines are most important in electric distribution).

"Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011"

With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber events is impossible, and improving resilience to attacks and reducing the impact of attacks are important…

… For the electric grid in particular, cybersecurity must encompass not only the protection of information but also the security of grid equipment that depends on or is controlled by that information. And its goals must include ensuring the continuous and reliable operation of the electric grid…

…We believe the natural evolution of grid information technologies already points toward such an approach: the development and integration of increasingly rapid and accurate systems control and monitoring technologies should facilitate quicker attack detection—and consequently, shorter response and recovery times.

Cyberattack response and recovery measures would be a fruitful area for ongoing research and development in utilities, their vendors, and academia. – Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011

U.S. utilities – electric, water and others – are so vulnerable and so insensible to security concerns that using passwords only three characters long doesn't raise a huge stink among companies that largely either refuse to believe there's a target painted on their backs or believe it's too expensive to do anything about it.

Norway hit by major data-theft attack

Industrial secrets from companies were stolen and "sent out digitally from the country

Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

"This is the first time Norway has unveiled such an extensive and widespread espionage attack," it said. Spokesman Kjetil Berg Veire added it is likely that more than one person is behind the attacks.

The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients' entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said. Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year's Nobel Peace Prize winner, Norway's Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments.

Refer here to read further details.

Guidance to Safeguard Digital Assets in Fiscally Challenged Times

12 Core Information Security Services

To help states keep their IT security robust in these tough economic times, the National Association of State Chief Information Officers has published a taxonomy of a dozen critical IT security service.

The 12 core services identified in the report, The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs, could prove useful for other government and non-government organizations working to secure their information assets under financially challenging conditions.

1. Information Security Program Management: Plans, provides oversight and coordinates all information security activities.

• Align security program activities and staff with a generally accepted best practice framework.
• Oversee the creation and maintenance of information security policies, standards, procedures and guidelines.
• Create and maintain strategic and tactical plans.
• Coordinate the movement of plans, policies, standards and other authoritative documents through a governance process.
• Track information security risk key performance indicators.
• Disseminate security metrics and risk information to executives and other managers for decision making.
• Coordinate security efforts.

2. Secure System Engineering: Designs appropriate security controls in new systems or systems that are undergoing substantial redesign, including in-house and outsourced solutions.

• Integrate information security design requirements in the system development life cycle.
• Participate as a security consultant on significant technology projects.
• Assist with the creation of system security plans, outlining key controls to address risks.
• Assist with the creation of residual risk documentation for management acceptance.
• Integrate security requirements into contracts for outsourced services.
• Assist with the creation of information security policies, standards, procedures and guidelines.
• Assist with the creation of secure configuration standards for hardware, software and network devices.
• Integrate security requirements into contracts for outsourced services.

3. Information Security Awareness and Training: Provides employees at all levels with relevant security information and training to lessen the number of security incidents.

• Coordinate general security awareness training for all employees and contractors.
• Coordinate security training for groups with specialized needs, such as application developers.
• Provide persistent and regular messaging relating to cybersecurity threats and vulnerabilities.

4. Business Continuity: Ensures that critical business functions will be available in a time of crisis.

• Coordinate business impact analysis.
• Development of appropriate recovery strategies for services.
• Develop disaster recovery plans for identified key technologies.
• Coordinate testing to ensure that services can be recovered in the event of an actual disaster.

5. Information Security Compliance: Validates that information security controls are functioning as intended.

• Coordination of continuing assessments of key security controls in in-house and outsourced systems.
• Completion of independent pre-production assessments of security controls in new systems or systems that are undergoing substantial redesign.
• Coordination of all IT audit and assessment work done by third-party auditors.
• Monitoring of third parties' compliance to state security requirements.

6. Information Security Monitoring: Gain situational awareness through continuous monitoring of networks and other IT assets for signs of attack, anomalies and inappropriate activities.

• Create and implement an event logging strategy.
• Place sensors, agents and security monitoring software at strategic locations throughout the network.
• Monitor situational awareness information from security monitoring and event correlation tools to determine events that require investigation and response.
• Disseminate potential security events to the information security incident response team.

7. Information Security Incident Response and Forensics: Determines the cause, scope and impact of incidents to stop unwanted activity, limit damage and prevent recurrence.

• Manage security incident case assignments and the security investigation process.
• Mobilize emergency and third-party investigation and response processes, when necessary.
• Consult with system owners to help quarantine incidents and limit damage.
• Consult with human resources on violations of appropriate use policy.
• Communicate with law enforcement, when necessary.

8. Vulnerability and Threat Management: Continuously identify and remediate vulnerabilities before they can be exploited.

• Strategic placement of scanning tools to continuously assess all information technology assets.
• Implement appropriate scan schedules, based on asset criticality.
• Communicate vulnerability information to system owners or other individuals responsible for remediation.
• Disseminate timely threat advisories to system owners or other individuals responsible for remediation.
• Consult with system owners on mitigation strategies.

9. Boundary Defense: Separates and controls access to different networks with different threat levels and sets of users to reduce the number of successful attacks.

• Assist with the development of a network security architecture that includes distinct zones to separate internal, external and demilitarized-zone traffic and segments internal networks to limit damage, should a security incident occur.
• Participate in the change management process to ensure that firewall, router and other perimeter security tools enforce network security architecture decisions.
• Periodically re-certify perimeter security access control rules to identify those that are no longer needed or provide overly broad clearance.

10. Endpoint Defense: Protects information on computers that routinely interact with untrusted devices on the internet or may be prone to loss or theft.

• Manage processes and tools to detect malicious software.
• Manage processes and tools that only permits trusted software to run on a device, commonly referred to as white listing.
• Manage processes and tools to prevent certain software from running on a device, commonly referred to as blacklisting.
• Manage processes and tools to identity unauthorized changes to secure configurations.
• Manage processes and tools to encrypt sensitive data.

11. Identity and Access Management: Manages the identities of users and devices and controls access to resources and data based on a need to know.

• Maintenance of identities, including provisioning and de-provisioning.
• Enforce password policies or more advanced multifactor mechanisms to authenticate users and devices.
• Manage access control rules, limiting security access to the minimum necessary to complete defined responsibilities.
• Periodically recertify access control rules to identify those that are no longer needed or provide overly broad clearance.
• Restrict and audit the use of privileged accounts that can bypass security.
• Define and install systems to administer access based on roles.
• Generate, exchange, store and safeguard encryption keys and system security certificates.

12. Physical Security: Protects information systems and data from physical threats.

• Maintain facility entry controls and badging systems.
• Manage equipment and media destruction processes.
• Maintain building emergency procedures.
• Perform screening/background checks on job applicants.
• Implement controls to mitigate facility vulnerabilities.

Cyber Storm III participants found shortcomings in its cybersecurity “escalation procedures”

Australian report identifies cybersecurity gaps during Cyber Storm III exercise

An Australian report issued Monday found gaps in cybersecurity procedures and processes for both government and industry, based on a review of the US-sponsored Cyber Storm III exercise held last September.

The report, commissioned by the Australian government and carried about by former Australian Army intelligence officer Miles Jakeman, said that Cyber Storm III identified "gaps” in cybersecurity procedures, processes, and plans by government and industry.

The Australian government identified gaps in its interim cybersecurity crisis management plan, and industry found shortcomings in its cybersecurity “escalation procedures”, according to the report.

The Cyber Storm III exercise included participants from seven US federal agencies, 11 US states, 60 private companies, and 12 international partners. The Australian government sent representatives from the Defence Signals Directorate, Computer Emergency Reponse Team (CERT) Australia, and Australian Federal Police; industry was represented by Telstra, ASX, Woolworths, ANZ, and domain name registrar AuDA.

Australian Attorney General Robert McClelland said that more than 50 Australian organizations participated in Cyber Storm III. He said in releasing the report: “The Cyber Storm III exercise provided a good test of new government processes including the interim cybersecurity crisis management plan, which allowed agencies to identify gaps and revise processes.”

McClelland added: “The exercise revealed many areas where internal and cross-sector partnerships worked effectively to communicate and resolve issues, but also highlighted areas where communications and planning could be further developed….While it did highlight gaps within existing government and business cyber incident processes, particularly in regards to escalation procedures, this feedback allows both government and businesses to take steps to improve our cybersecurity.”

US fears that Stuxnet variants could threaten its critical infrastructures

US government warns of potential Stuxnet variants

Security experts at the US Department of Homeland Security (DHS) fear that variants of the Stuxnet worm could threaten important US infrastructures. In a US House of Representatives committee hearing, Roberta Stempfley and Sean P. McGurk from the DHS's Office of Cyber Security and Communications said that copies of the Stuxnet code have been publicly available for some time, and that the increasing amount of available information about it potentially enables attackers to develop variants that could target a larger number of systems.

According to the two experts, Stuxnet was first discovered in July 2010. It was believed to be targeting an Iranian uranium enrichment facility at Natanz and would only become active once it had identified its target. When asked by anti-virus vendor McAfee in April 2011, 59 per cent of German power, gas and water suppliers replied that they were able to identify the Stuxnet worm in their systems. However, according to the state of knowledge at the time, the worm didn't cause any damage.

Shortly after the discovery of Stuxnet, the DHS started to analyse the code, highly complex according to experts, and inform other governments of its findings. The worm is reportedly intended for industrial control systems that feature a specific hardware and software combination. Stempfley and McGurk said that this type of malware could automatically infect a system, steal sensitive information, manipulate the system and cover up its actions.

Obama to Battle International Cybercrime

Administration Strategy Sees IT as Fostering Cybercrime

President Obama Monday declared a national emergency to battle what he characterizes as the extraordinary threat transnational criminal organizations pose to the nation's security, foreign policy and economy.

As part of the national emergency declaration, the White House issued a strategy to combat transnational organized crime in which cyber plays a crucial component in fostering and combating transnational cybercrime.

"During the past 15 years, technological innovation and globalization have proven to be an overwhelming force for good," Obama said in the introduction to the strategy. "However, transnational criminal organizations have taken advantage of our increasingly interconnected world to expand their illicit enterprises."

The strategy's 56 priorities include enhancing intelligence and information sharing and protecting the nation's financial system and strategic market against transnational organized crime.

Transnational organized crime has traditionally been largely regional in scope, hierarchically structured and had only occasional links to terrorism, the strategy says, adding that's no longer the case. "Today's criminal networks are fluid, striking new alliances with other networks around the world and engaging in a wide range of illicit activities, including cybercrime and providing support for terrorism," the strategy states. "Virtually every transnational criminal organization and its enterprises are connected and enabled by information systems technologies, making cybercrime a substantially more important concern."

The strategy says criminal networks employ cyber technologies to perpetrate sophisticated frauds; create the potential for the transfer of weapons of mass destruction to terrorists; and expand narco-trafficking and human and weapons smuggling networks.

Among the actions the strategy says the administration will take is to enhance domestic and foreign capabilities to combat the increasing involvement of transnational-organized-crime networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.

According to the strategy, transnational-organized-crime networks cost consumers billions of dollars annually, threaten sensitive corporate and government computer networks and undermine worldwide confidence in the international financial system. Through cybercrime, transnational criminal organizations pose a significant threat to financial and trust systems - banking, stock markets, e-currency and value and credit card services - on which the world economy depends.

$1 Billion in Fraud Against U.S

How bad is the situation? The strategy contends online frauds perpetrated by Central European cybercrime networks have defrauded American citizens and businesses of $1 billion in a single year. And, the Secret Service says financial crimes facilitated by anonymous online criminal fora result in billions of dollars in losses to the nation's financial infrastructure.

Pervasive criminal activity in cyberspace imperils citizens' and businesses' faith in digital systems, which are critical to our society and economy, the strategy says.

The strategy sees computers and the Internet playing a role in most transnational crimes, either as the target or the weapon used in the crime. "The use of the Internet, personal computers and mobile devices all create a trail of digital evidence," the strategy states. "Often the proper investigation of this evidence trail requires highly trained personnel. Crimes can occur more quickly, but investigations proceed more slowly due to the critical shortage of investigators with the knowledge and expertise to analyze ever increasing amounts of potential digital evidence."

Attorneys General seek to co-operate in terms of Cybercrime

Cyber security and crime represents a significant and growing threat to everyone around the world

The Attorneys General from the US, the UK, Canada, Australia and New Zealand plan to co-ordinate their efforts to combat internet crime more closely. The prosecutor quintet's third meeting since 2009 will be held on Thursday in Sydney, Australia.

According to a media release by the hosting Australian Attorney General, Robert McClelland, the meeting will focus on joint and cooperative actions that can be taken to address the growth of international cyber-threats. McClelland's spokesperson denied reports of potential plans for a cybercrime agreement between the quintet countries, pointing out Australia's ongoing preparations to sign and ratify the 2001 Council of Europe Convention on Cybercrime.

In late June, McClelland and the Australian home secretary, Brendan O'Connor, introduced a bill that is designed to prepare Australia for adopting the Convention on Cybercrime. In addition to the ability to "quick freeze" telecommunications data, the bill aims to regulate confidentiality obligations in terms of data access, and contains minor amendments to the criminal laws against intrusions into computers and data manipulations. The bill is currently being discussed by the Joint Select Committee on Cyber Security.

With Australia intending to adopt the Convention on Cybercrime, the only remaining quintet member that will have not done so is New Zealand. However, the Convention still needs to be put into practice, not only in Australia, but also in the UK and in Canada. The Convention on Cybercrime is currently only in force in the US. The UK will follow in September 2011.

At their meeting in Sydney, the five Attorneys General will also lead discussions on a range of key national security and legal policy issues. For example, the UK Attorney General, Dominic Grieve, will report on the disclosure of digitally stored material, while Robert McClelland will present Australia's strategy for countering violent extremism on the internet.

The Australian authorities say that they will spend up to a million dollars (about £660,000) on supporting citizens' rights groups that raise public awareness on violent extremism and build community resilience to radicalisation and extremist views.

Security concern as cyber threat grows

Australian Government will soon release a white paper focusing on Cyber Security!

The Gillard government has become so concerned about attacks on the computer systems of industry and the public sector it will produce a white paper focusing largely on cyber security.

In a speech in Adelaide today, Attorney-General Robert McClelland will warn that foreign intelligence agencies, criminal gangs and commercial competitors are targeting intellectual property in Australia worth $30 billion.

Mr McClelland will say malicious activity is increasing to a point where computer systems in both the government and the private sector are under continuous threat.

"Cyber espionage is not just the purview of foreign intelligence agencies, but something undertaken by criminal organisations and commercial competitors alike," Mr McClelland says.

And Defence Minister Stephen Smith says attacks on Australia's computer systems are becoming increasingly sophisticated and targeted.

Development of the paper will be led by the Department of Prime Minister and Cabinet and extensive public consultations will begin next month with the release of a discussion paper.

It is expected the white paper will be ready in the first half of next year.

Mr McClelland says the cyber threat to Australia is real, evolving and continuing to test the nation's defences. "It comes from a wide range of sources, and from adversaries possessing a broad range of skills."

The cyber white paper will help Australians to connect to the internet with confidence. The document will provide a comprehensive review of how governments, businesses and individuals can work together to realise the full benefits of cyberspace while ensuring risks can be managed.

"The digital world is evolving rapidly. It's transforming the way governments and businesses operate and the way Australians connect to each other and the world," Mr McClelland says.

Minister for Broadband, Communications and the Digital Economy Stephen Conroy says the white paper recognises the increasingly significant role the online environment plays in the lives of Australians.

"With increased availability and use of technology, it's important that all Australians are able to go online safely and securely," he says.

Source: AustralianIT

Monitoring of Power Grid Cyber Security

Efforts to Secure Nation’s Power Grid Ineffective

The official government cybersecurity standards for the electric power grid fall far short of even the most basic security standards observed by noncritical industries, according to a new audit.

The standards have also been implemented spottily and in illogical ways, concludes a Jan. 26 report from the Department of Energy’s inspector general (.pdf). And even if the standards had been implemented properly, they “were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”

At issue is how well the Federal Energy Regulatory Commission, or FERC, has performed in developing standards for securing the power grid, and ensuring that the industry complies with those standards. Congress gave FERC jurisdiction in 2005 over the security of producers of bulk electricity — that is, the approximately 1,600 entities across the country that operate at 100 kilovolts or higher. In 2006, FERC then assigned the North American Electric Reliability Corporation (NERC), an industry group, the job of developing the standards.

The result, according to the report, is deeply flawed.

The standards, for example, fail to call for secure access controls — such as requiring strong administrative passwords that are changed frequently. or placing limits on the number of unsuccessful login attempts before an account is locked. The latter is a security issue that even Twitter was compelled to address after a hacker gained administrative access to its system using a password cracker.

The report is particularly timely in light of the discovery last year of the Stuxnet worm, a sophisticated piece of malware that was the first to specifically target an industrial control system — the kind of system that is used by nuclear and electrical power plants.

The security standards, formally known as the Critical Infrastructure Protection, or CIP, cybersecurity reliability standards, were in development for more than three years before they were approved in January 2008. Entities performing the most essential bulk electric-system functions were required to comply with 13 of the CIP requirements by June 2008, with the remaining requirements phased in through 2009.

The report indicates that this time frame was out of whack, since many of the most critical issues were allowed to go unaddressed until 2009. For example, power producers were required to begin reporting cybersecurity incidents and create a recovery plan before they were required to actually take steps to prevent the cyber intrusions in the first place — such as implementing strong access controls and patching software vulnerabilities in a timely manner.

The standards are also much less stringent than FERC’s own internal security policy. The standards indicate passwords should be a minimum of six characters and changed at least every year. But FERC’s own, internal security policy requires passwords to be at least 12 characters long and changed every 60 days.

One of the main problems with the standards seems to be that they fail to define what constitutes a critical asset and therefore permit energy producers to use their discretion in determining if they even have any critical assets. Any entity that determines it has no critical assets can consider itself exempt from many of the standards. Since companies are generally loathe to invest in security practices unless they absolutely have to — due to costs — it’s no surprise that the report found many of them underreporting their lists of critical assets.

“For example, even though critical assets could include such things as control centers, transmission substations and generation resources, the former NERC Chief Security Officer noted in April 2009 that only 29 percent of generation owners and operators, and less than 63 percent of transmission owners, identified at least one critical asset on a self-certification compliance survey,” the report notes.

Refer here to download the report.

Canada has no official coordinated cyberattack response strategy

Risk of cyber-attacks growing: CSIS memo

A secret memo from the Canadian Security Intelligence Service (CSIS) warns that the risk of cyberoffensives against government, university, and industrial computer systems has grown significantly over the past year.

"In addition to being virtually unattributable, these remotely operated attacks offer a productive, secure, and low-risk means to conduct espionage," the memo says. Canadian government officials say they are developing a framework to manage cyberattacks, yet Canada still has no official coordinated cyberattack response strategy.

Meanwhile, a report from the University of Toronto's Citizen Lab, the SecDev Group, and U.S. researchers from the Shadowserver Foundation emphasizes that the federal government must take urgent action or risk being targeted by hackers who steal sensitive information using social media. However, University of Calgary computer science professor John Aycock warns that the Internet's design makes it difficult to provide complete security. "It's not designed to be able to track people back," Aycock says. "There is no one cure-all."

Please refer here to read more details.

US identified cybersecurity as a top priority

US plan to make hacking harder revealed

The Obama administration has declassified part of its plan to improve the security of cyberspace in an attempt to cultivate greater collaboration between government and civilian groups. More cooperation between the private sector and the U.S. National Security Agency is the centerpiece of the Comprehensive National Cybersecurity Initiative (CNCI).

The declassified abstract of the plan reveals that the U.S. Department of Homeland Security will operate a new security system, called Einstein 3, that analyzes email and other data traffic into and out of federal networks. CNCI also urges merged oversight of federal spending on research and development in cybersecurity, with a particular focus on "leap-ahead" technology.

Although the initiative acknowledges that traditional security approaches "have not achieved the level of security needed," it says the federal government is now outlining "grand challenges" for the research community to help solve the most difficult problems.

Refer here to read more details.