10:02 AM
Connect Directly

Public and Private Sectors Ally To Secure Cyberspace

The government and private industry unveil The National Strategy to Secure Cyberspace.

The government and private industry have unveiled a plan for safeguarding the nation's infrastructure against electronic attack. Called The National Strategy to Secure Cyberspace, the plan was developed in response to an executive order by President Bush a year ago.

The plan, which was issued in draft form in September, addresses information security on five levels: home users and small business, large enterprises, sectors of the economy, national issues and global issues.

The financial services sector has been working closely with the U.S. Treasury on cyberspace since 1998, following the issuance of a presidential directive, PDD-63, which defined steps to be taken to thwart cyberattacks. One of them was the creation of sector-specific Information Sharing and Analysis Centers, or ISACs, which provide warnings of possible threats, computer viruses and software vulnerabilities.

The financial services sector was the first to establish an ISAC-in 1999, just one year after PDD-63. "Through FS/ISAC, we are sharing information about threats and vulnerabilities," said Rhonda MacLean, head of information security at Bank of America and sector coordinator for the financial services industry. The financial services sector is represented by principal industry groups, such as the American Bankers Association, Securities Industry Association, BITS, the FS/ISAC and the Independent Community Bankers Association.

FS/ISAC, MacLean said, "is a way for members to get an early warning. We have a way to get it out as not only a general CERT alert but as an alert to the financial services industry."

FS/ISAC receives data feeds from more than 100 sources, including the intrusion detection systems of several of its members. It analyzes this data around-the-clock to profile potential threats and vulnerabilities. This profiling, in turn, allows for an early warning capability via e-mail, fax and pager/phone.

The September 11 attacks focused new attention on the need to defend against all forms of attack. "We have seen an escalation of worrisome trends, both physical and electronic," said MacLean.

The Bush administration's principal contributions toward the protection of cyberspace are the proposed Department of Homeland Security and the Critical Infrastructure Protection Board, an interagency task force under whose aegis The National Strategy to Secure Cyberspace was developed.

The plan outlines a number of steps each industry sector needs to take to reduce the risk of cyberattacks: establishment of an ISAC; conducting a technology and R&D gap analysis in coordination with the Office of Science and Technology Policy; developing best practices for cybersecurity and guidelines for procuring secure IT products and services; creating information security awareness campaigns; and establishing mutual assistance programs for cybersecurity emergencies.

In addition to ISAC, the financial industry sector operates the BITS Product Certification Program, which creates security criteria for various software products. Banks and product vendors are working together to address security issues. "We need the vendors to build products with security in mind," MacLean said.

Other sector initiatives include a joint ABA-SIA program to protect customer data, deter money laundering and authenticate financial transactions; the setting of technical standards; and increasing the awareness of the need for protecting the infrastructure.

Financial institutions don't need to be sold on the value of cooperation, MacLean said. "The security of our systems is not a competitive issue. Each institution has an obligation, but it's also a shared responsibility. We're as strong as our weakest link."

September 11 exposed both the fragility of the infrastructure and its interdependence. The targets of the attacks-the World Trade Center and Pentagon-were "icons," said MacLean. Yet there was also significant collateral damage, such as the Verizon switching center in lower Manhattan. "An attack might not be targeted at you, but you might become a victim of collateral damage because of the interconnections."

The need for greater vigilance on cybersecurity was evident even before September 11. Both the Code Red and Nimda cyberattacks spread so fast that many victims didn't have a chance to respond in time. And the number of threats reported by CERT/CC, a nonprofit organization, soared to 2,437 in 2001 from 1,090 in 2000.

Technology alone doesn't guarantee security. Although 90 percent of respondents in a survey by the Computer Security Institute used antivirus software, 85 percent of them suffered damage due to a virus. Similarly, some 40 percent had their systems penetrated from outside the network, despite the presence of firewalls and intrusion detection systems.

The risk of a breach of security on a national level is real, noted the National Strategy report. "Potential adversaries have the intent, the tools of destruction are broadly available, and the vulnerabilities of the nation's systems are many and well known."

Threats can come in all shapes and sizes. "Threat agents in the virtual world can be categorized as the curious, the glory seekers, traditional criminals and the inadvertent," according to a progress report issued in May by the financial sector. Cyberterrorists have the same motivation as their counterparts in the physical world. "We look at anyone who wants to do malfeasance, whether they're terrorists, 'hacktivists,' or just plain-old criminals," said MacLean.

Threats are just as likely to come from inside an organization. "We're all vulnerable to internal threats," said MacLean. "Many breaches of security involve an insider." Hence the importance of screening prospective employees and other forms of internal security.


Cyberspace at Risk


2000: 1,090

2001: 2,437

Source: CERT/CC

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.