Great news! ApplyLogic has been nominated for SECAF’s Government Contractor of the Year. SECAF’s 6th Annual Award honors small and emerging government contractors. We are proud of the ApplyLogic Team and excited about the nomination and recognition for the hard work we provide: servicing and delivering quality solutions to our customers! Way to go ApplyLogic!
In an article by Computerworld, analysts are predicting that in the next 8 years digital data will exceed 40 zettabytes (1,099,511,627,776 gigabytes (GB) in a zettabyte) or about 5,200 GB per person on earth. Emerging countries/markets will likely become the dominant data generators rising from 36% to 62%. However, the research suggests that this data will mainly be produced by computers not humans.
More data, more storage, faster hardware, larger/faster networks, tighter security, “real” service-oriented architectures, “bring your own device” solutions, converged infrastructures and overall efficiencies needed for customers. Meta tags will be the critical element in farming and correlating this data. And, by 2020, while cloud spending is projected to rise from 5-40%, the cost of storage will likely plummet. Interesting times ahead….
There has been a lot of news recently about the potential for the coming Cyber Pearl Harbor. A cyber attack that would mirror the devastation that hit the naval base in Pearl Harbor during the beginning of WWII. According to an article in CSO Magazine on October 18, 2012, the United States is concerned of a coming cyber attack. The concept of comparing the attack to Pearl Harbor has been around for several years. It wasn’t until a recent a speech by U.S. Secretary of Defense Leon Penetta in New York that this has become more of a topic.
The article states the following:
The results of cyberttacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid “could be a cyber Pearl Harbor — an attack that would cause physical destruction and the loss of life,” Panetta said. “In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”
Panetta also invoked the image of a cyberattack on the level of 9/11. “Before September 11, 2001, the warning signs were there. We weren’t organized. We weren’t ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment,” he said.
In a follow-up article in CSO Magazine November 7th, the opposing viewpoint was brought forth. Many in the security industry feel that the concept and description of a Cyber Pearl Harbor is nothing more than hot air. Experts including Bruce Schneier have chimed in. Bruce has reduced the extent to which he believes the concept to be exaggerated but according to he article:
Critics argue argue that not only is the threat of a catastrophic cyberattack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to “build security in” to the control systems that run the nation’s critical infrastructure.
Bruce Schneier, author, Chief Technology Security Officer at BT and frequently described as a security “guru,” has not backed off of his contention made at a debate two years ago that the cyber war threat “has been greatly exaggerated.” He said that while a major attack would be disruptive, it would not even be close to an existential threat to the U.S.
“This [damage] is at the margins,” he said, adding that even using the term “war” is just a, “neat way of phrasing it to get people’s attention. The threats and vulnerabilities are real, but they are not war threats.”
The reality is that it is probably somewhere in the middle of the two viewpoints. It can be likened to the Y2K issue a little over a decade ago. The world was going to come to an end and the dark ages would re-emerge. The reality was that preparation help minimize what little impact there may have been. Security is a risk decision, but most risk decisions are defensive in nature. The other decision of a preemptive cyber capability is another aspect of the decision-making that needs to be addressed. Should the U.S. begin cyber strikes on perceived threats? What is the impact of doing this on the long-term? The world has already seen a small view of what can be done with Stuxtnet and will these type of state-sponsored cyber attacks the new nuclear deterrent…that is yet to be seen.
Regardless of the direction that gets taken, business needs to look at potential cyber attacks/hacks as a real potential threat and determine what risk is willing to be accepted and what will need to be mitigated. Whether the issue is the size of a country or your home computer, measure twice, cut once is still the best direction.
Microsoft’s new flagship operating system Windows 8 was released at the end of October, but with its release, so has a new zero-day. In a recent article in SC Magazine, the article describes how the French security firm Vupen is offering the recently discovered zero-day for sale. In fact, a mere $50,000.00 could allow you to obtain the vulnerability that has been described as affecting the new Internet Explorer 10 browser.
According to the article:
Last week, Vupen CEO Chaouki Bekrar tweeted that “various” IE10 and Windows 8 vulnerabilities had been combined to circumvent exploit mitigation safeguards in Windows 8, which was released to the public on Oct. 26. The exploit was reportedly not disclosed to Microsoft, nor was its price made public. Vupen did reveal that the zero-day could allow a particularly skilled hacker to bypass embedded security measures, which include high-entropy address space layout randomization (HiASLR), anti-return oriented programming (AntiROP), data execution prevention (DEP) and protected-mode sandbox.
According to the article, Vupen only sells the vulnerability information to governments and business, but this is very concerning. The fact that they have not shared it with Microsoft, this could become a way to hold applications, business and governments hostage. Secure coding needs to be the priority of developers and the time to market needs to be properly married to insuring limited vulnerabilities.
The elections in the United States is drawing close, tomorrow, and it is important to remember that you need to make decision. Now this is not to discuss your decision on which president you select, but rather the risk your company chooses to select.
Risk is an issue that is a critical factor every day of the year to your business. The recent effects of Sandy and the potential impact of new a new storm could paralyze the already devastated North East. Your business needs to make decisions that will limit its exposure to risk, whether it is financial, natural, or technical. So, during this time of decision-making, make sure you make a commitment to evaluate your companies risk on a regular basis and plan effectively. Remember…risk is not static and your business should not be either.
Dark Reading published an article on October 9 about the pending Executive Order on cyber security and what it will mean to an enterprise. As mentioned in a previous post, the executive order is the Obama administration’s response to the fact that Congress did not pass cybersecurity legislation, specifically the Cybersecurity Act of 2012.
Now while the Executive Order would be focused on national critical infrastructure, the article brings up some good points about what impacts and insights this could have on a business. The article noted that the Executive Order would not deal with one of the key points of the act, the sharing of information between government agencies. According to the article:
The issuance of an executive order would not address one of the key elements of the Cybersecurity Act of 2012 – information sharing between the private sector and government. According to former NSA Deputy Training Director Cedric Leighton, information-sharing has to span both sharing between the government and private sector as well as between entities in the private sector itself.
A key point about what businesses are looking for is stated in the article…more specifically three key items:
Rather than checklists, organizations are looking for three distinct things: the current state of a threat, what others are doing about security, and what are the guiding principles that should be considered when developing a security program and strategy, Granado argues. Protecting intellectual property means complicating the process of acquiring inappropriate access, detecting threats and neutralizing threats before they expand, he says.
As noted in the article, a purely defensive “knee-jerk” mentality is not enough and a pro-active stance is needed to effectively secure the information assets of the business and in turn improve the overall risk posture. The idea that the minimum is enough is not enough, that will leave business always behind a curve.