By?Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
A recent report from the Department of Homeland Security documents a sharp rise over a three-year period in cybersecurity incidents reported by companies that operate critical infrastructure.? According to the report, companies reported 198 cyber incidents in 2011, up from 41 incidents in 2010 and just nine in 2009.? Critical infrastructure includes such industries as utilities (water, energy including nuclear power plants), chemical plants, telecommunications, and transportation.
Spear-phishing emails with malicious links or attachments were the most common infection vector for network intrusion. The hacking method prompts people to click on malware-infected emails that appear to be sent from someone they know. [We discussed this attack in an earlier blog post].? At least one incident involved an infection from a removable USB device.
The most common objective was to gain unauthorized access to company networks. According to the report, ?These threat actors were responsible for data exfiltration in several cases, which seems to have been the primary motive for intrusion. No intrusions were identified directly into control system networks. However, given the flat and interconnected nature of many of these organization?s networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations.?
Currently, there are several bills moving through Congress that attempt to get a handle on the problem of securing our nation?s critical infrastructure.? In spite of broad consensus that the country urgently needs to improve in this area, there are many issues to be worked out concerning the actual implementation.? For example, most everyone agrees that the owners and operators of computer networks have an obligation to secure those networks through application of industry best practices (e.g. anti-virus, prompt patching, network firewalls, intrusion detection, etc).? There are many IT compliance regimes already in existence (e.g. ISO27001, COBIT), including compliance requirements imposed by HIPAA.? However, some of the proposed bills impose penalties if covered industries do not apply these controls to acceptable standards.? Some see the penalties as unnecessary regulation, whereas others see them as necessary incentives to get industry to get serious about improvements.
Another example: there is broad agreement that there is value in the sharing of information across and within industries, and between industry and government, the theory being that all will benefit if companies are encouraged to disclose and share information about cyber incidents.? Removing the barriers to information sharing can give early warning to others of emerging attacks, and can help to spread knowledge of advanced detection and protection techniques developed by companies or by the government.? Objections have arisen over the protection of intellectual property rights when such information is shared, since doing so may expose information about internal company operations.? Also, advanced detection or protection techniques may be considered trade secrets by security firms that sell security services, and those firms would suffer economic loss if the techniques were broadly disclosed.
One area that I find interesting as it affects Xerox is what I?ll call ?recursive disclosure? of security incidents.? Xerox by itself is not considered a critical industry, but every industry segment mentioned above is served by Xerox and the office equipment industry in general.? Let?s suppose a utility is the victim of a targeted attack in which an attacker was able to gain access to the corporate network.? Under many of the new rules being contemplated, that utility would be required to disclose the attack to the government.? Let?s further suppose that there is suspicion that the attacker was able to penetrate the network by connecting through a vulnerable printer.? If, and we work very hard to make sure this doesn?t happen, but if that printer were a Xerox device, or if the printer population at the utility was being operated by Xerox under a managed services contract, then Xerox will also be drawn into having to disclose the incident.
Some in the security research community will argue that?s a good thing, because the threat of exposure provides a great incentive to manufacturers to make sure their equipment and services are robust and secure, and as a practical matter this is quite true.? But there is no doubt that if such a scenario were to occur, it could be devastating to Xerox business or any other manufacturer or service provider that was caught in a similar situation.? The economic impact could ripple through the entire economy and be amplified to a point where the disruption caused by the reaction to the event could do more damage than the actual event itself.
Figuring this out is hard.? There are many ramifications and many opinions from all perspectives.? I?d be interested to hear your thoughts.
super bowl matthew broderick tax refund calculator huntington disease west memphis three shaun white taxes
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.