DOCSLIB.ORG

Bridge Linking Engineering and Society

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Bridge Linking Engineering and Society Fall 2019 CYBERSECURITY The BRIDGE LINKING ENGINEERING AND SOCIETY A Framework to Understand Cybersecurity David D. Clark Cybersecurity: Revisiting the Definition of Insider Threat Nicole Lang Beebe and Frederick R. Chang Learning from Cybersecurity Breaches: The Trouble with Recommended Best Practices Josephine Wolff Cybersecurity in Higher Education: One University’s Approach Christian Hamer Policy Dimensions of Cybersecurity Engineering Challenges Fred B. Schneider and Lynette I. Millett Raising Awareness of Security Challenges for the Internet of Trillions of Things John A. Stankovic and Jack W. Davidson Security of Connected and Automated Vehicles Mashrur Chowdhury, Mhafuzul Islam, and Zadid Khan What Every Engineer Should Know about Cybersecurity Thomas A. Longstaff and Noelle K. Allon EES Perspective: When White Hats Wear Black Hats: The Ethics of Cybersecurity C. Dianne Martin A Call to the Engineering Community to Address Human Trafficking Jonathan P. Caulkins, Matt Kammer-Kerwick, Renata Konrad, Kayse Lee Maass, Lauren Martin, and Thomas Sharkey The mission of the National Academy of Engineering is to advance the well-being of the nation by promoting a vibrant engineering profession and by marshalling the expertise and insights of eminent engineers to provide independent advice to the federal government on matters involving engineering and technology. The BRIDGE NATIONAL ACADEMY OF ENGINEERING Gordon R. England, Chair John L. Anderson, President Corale L. Brierley, Vice President Julia M. Phillips, Home Secretary James M. Tien, Foreign Secretary Martin B. Sherwin, Treasurer Editor in Chief: Ronald M. Latanision Managing Editor: Cameron H. Fletcher Production Associate: Penelope Gibbs The Bridge (ISSN 0737-6278) is published quarterly by the National Acad emy of Engineering, 2101 Constitution Avenue NW, Washington, DC 20418. Periodicals postage paid at Washington, DC. Vol. 49, No. 3, Fall 2019 Postmaster: Send address changes to The Bridge, 2101 Constitution Avenue NW, Washington, DC 20418. Changes of address or requests to unsubscribe should be sent to [email protected]. Papers are presented in The Bridge on the basis of general interest and timeliness. They reflect the views of the authors and not necessarily the position of the National Academy of Engineering. The Bridge is printed on recycled paper. C © 2019 by the National Academy of Sciences. All rights reserved. Mission Statement of The Bridge The Bridge publishes articles on engineering research, education, and practice; science and technology policy; and the interface between engineering and technology and society. The intent is to stimulate debate and dialogue both among members of the National Academy of Engineering (NAE) and in the broader community of policymakers, educators, business leaders, and other interested individuals. The Bridge relies on its editor in chief, NAE members, and staff to identify potential issue topics and guest editors. Invited guest editors, who have expertise in a given issue’s theme, are asked to select authors and topics, and inde- pendent experts are enlisted to assess articles for publication. The quarterly has a distribution of about 7,000, including NAE members, members of Congress, libraries, universities, and interested individuals all over the country and the world. Issues are freely accessible at www.nae.edu/Publications/Bridge.aspx. A complete copy of The Bridge is available in PDF format at www.nae.edu/TheBridge. Some of the articles in this issue are also available as HTML documents and may contain links to related sources of information, multimedia files, or other content. The Volume 49, Number 3 • Fall 2019 BRIDGE LINKING ENGINEERING AND SOCIETY Editors’ Note 3 Cybersecurity: A Growing Challenge for Engineers and Operators Ruth A. David and Robert F. Sproull Features 6 A Framework to Understand Cybersecurity David D. Clark An internet-centric view of cybersecurity challenges sheds light on ways to address them. 12 Cybersecurity: Revisiting the Definition of Insider Threat Nicole Lang Beebe and Frederick R. Chang The definition of insider threat must be expanded from the malicious human insider to include the unwitting human insider and the technological insider. 20 Learning from Cybersecurity Breaches: The Trouble with Recommended Best Practices Josephine Wolff Previous incidents highlight the need for clear, specific guidance on cybersecurity best practices and incentives for their use. 27 Cybersecurity in Higher Education: One University’s Approach Christian Hamer We believe it is critical to involve and work with our community as much as possible to support the mission of the university. 33 Policy Dimensions of Cybersecurity Engineering Challenges Fred B. Schneider and Lynette I. Millett Efforts to address cybersecurity challenges require theoretical perspectives, practical and organizational approaches, and policy understanding. 40 Raising Awareness of Security Challenges for the Internet of Trillions of Things John A. Stankovic and Jack W. Davidson The massive scale and decentralized nature of the IoTT provide attackers with a large attack surface for exploitation. (continued on next page) 46 Security of Connected and Automated Vehicles Mashrur Chowdhury, Mhafuzul Islam, and Zadid Khan We describe cyberattack surfaces and potential solutions for securing connected and automated vehicles and transportation infrastructure. 57 What Every Engineer Should Know about Cybersecurity Thomas A. Longstaff and Noelle K. Allon Cybersecurity is not an end in itself but an ongoing set of practices throughout the system lifecycle to achieve system goals and requirements. 62 EES Perspective: When White Hats Wear Black Hats: The Ethics of Cybersecurity C. Dianne Martin 67 A Call to the Engineering Community to Address Human Trafficking Jonathan P. Caulkins, Matt Kammer-Kerwick, Renata Konrad, Kayse Lee Maass, Lauren Martin, and Thomas Sharkey There are opportunities for engineering to make transformative contributions to the curtailment of human trafficking. 74 An Interview with… Deanne Bell, TV Host and Founder-CEO of Future Engineers News and Notes 83 NAE Newsmakers 84 2019 China-America Frontiers of Engineering Hosted by Qualcomm in San Diego 86 Summer Interns in the NAE Program Office 87 Calendar of Meetings and Events 87 In Memoriam 89 Publications of Interest The National Academy of Sciences was established in 1863 by an emy of Sciences to advise the nation on medical and health issues. Act of Congress, signed by President Lincoln, as a private, nongov- Members are elected by their peers for distinguished contributions to ernmental institution to advise the nation on issues related to science medicine and health. Dr. Victor J. Dzau is president. and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president. The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objec- The National Academy of Engineering was established in 1964 tive analysis and advice to the nation and conduct other activities under the charter of the National Academy of Sciences to bring the to solve complex problems and inform public policy decisions. The practices of engineering to advising the nation. Members are elected Academies also encourage education and research, recognize out- by their peers for extraordinary contributions to engineering. Dr. John standing contributions to knowledge, and increase public understand- L. Anderson is president. ing in matters of science, engineering, and medicine. The National Academy of Medicine (formerly the Institute of Medicine) Learn more about the National Academies of Sciences, Engineering, was established in 1970 under the charter of the National Acad- and Medicine at www.nationalacademies.org. 3 Editors’ Note larly, complex infrastructures on which people depend for transportation, energy, communications, food pro- duction, water distribution, and healthcare delivery are increasingly computerized, as are the manufacturing and design processes that will create the next genera- tion of systems and infrastructures. To be sure, the engineers who design and develop Ruth A. David (NAE) is retired these systems and infrastructures play a vital role in president and chief executive addressing security concerns, but they cannot antici- officer of ANSER. pate every conceivable threat that may manifest during operational use of their product—particularly since new attack surfaces are introduced when individual systems are connected to networks. Cybersecurity is defined by the National Institute of Standards and Technology (NIST 2011, p. B-3) as Robert F. Sproull (NAE) is “the ability to protect or defend the use of cyberspace retired vice president and direc- from cyber attacks,” and cyberspace is defined as “a tor of Oracle Labs and now an global domain within the information environment adjunct professor of computer consisting of the interdependent network of informa- science at the University of tion systems infrastructures including the Internet, Massachusetts at Amherst. tele communications networks, computer systems, and embedded processors and controllers.” Thus, cyber- Cybersecurity: security focuses on thwarting attack vectors that exploit network connections, but those connections A Growing Challenge for typically occur in individual systems put into use by Engineers and Operators individual, organizational, or institutional operators who therefore play an equally vital role
Load more

Recommended publications
  • Cyber Security Practices and Challenges at Selected Critical Infrastructures in Ethiopia: Towards Tailoring Cyber Security Framework
    ADDIS ABABA UNIVERSITY COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCES SCHOOL OF INFORMATION SCIENCE CYBER SECURITY PRACTICES AND CHALLENGES AT SELECTED CRITICAL INFRASTRUCTURES IN ETHIOPIA: TOWARDS TAILORING CYBER SECURITY FRAMEWORK By TEWODROS GETANEH JUNE, 2018 ADDIS ABABA, ETHIOPIA ADDIS ABABA UNIVERSITY COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCES SCHOOL OF INFORMATION SCIENCE CYBER SECURITY PRACTICES AND CHALLENGES AT SELECTED CRITICAL INFRASTRUCTURES IN ETHIOPIA: TOWARDS TAILORING CYBER SECURITY FRAMEWORK A Thesis Submitted to School of Graduate Studies of Addis Ababa University in Partial Fulfillment of the Requirements for the Degree of Master of Science in Information Science By: TEWODROS GETANEH Advisor: Tebebe Beshah (PhD) JUNE, 2018 Addis Ababa, Ethiopia ADDIS ABABA UNIVERSITY COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCE SCHOOL OF INFORMATION SCIENCE CYBER SECURITY PRACTICES AND CHALLENGES AT SELECTED CRITICAL INFRASTRUCTURES IN ETHIOPIA: TOWARDS TAILORING CYBER SECURITY FRAMEWORK By: Tewodros Getaneh Name and signature of Members of the Examining Board Tebebe Beshah (PhD) __________ _________ Advisor Signature Date Lemma Lenssa (PhD) ___________ __________ Examiner Signature Date Dereje Teferi (PhD) __________ _________ Examiner Signature Date Declaration This thesis has not previously been accepted for any degree and is not being concurrently submitted in candidature for any degree in any university. I declare that the thesis is a result of my own investigation, except where otherwise stated. I have undertaken the study independently with the guidance and support of my research advisor. Other sources are acknowledged by citations giving explicit references. A list of references is appended. Signature: ________________________ Tewodros Getaneh This thesis has been submitted for examination with my approval as university advisor. Advisor’s Signature: ________________________ Tebebe Beshah (PhD) i | P a g e Dedication This work is dedicated to my beloved sister Eleni Getaneh.
    [Show full text]
  • Techbeat Spring 2004
    National Law Enforcement and Corrections Technology Center Spring 2004 ore and more, when it comes to more efficient, and more cost effective, “There are probably 10 different com- agencies are inundated with these things investigating vehicle crashes, but many departments lack the expertise panies that make measuring devices and don’t necessarily know how to distance measuring tapes and to use them,” Krenning says. To help and 30 different companies that make choose which they want to use.” wheels, hand-drawn sketches, bring law enforcement agencies up to computer-aided drafting (CAD) programs M (See Scene of the Crash, page 10) and ink pens are out and computers and speed on current crash scene technolo- for law enforcement,” Mael says. “Police lasers are in. gies, NLECTC–Rocky Mountain last year “The days of going out and measur- initiated a technology assistance program ing skidmarks and using calculus to titled “Crash Scene Technologies,” which determine speed are over,” says Troy is available to law enforcement Krenning, a program manager at the agencies at no cost. National Institute of Justice’s National Last year, Krenning says, Law Enforcement and Corrections approximately 120 officers from Technology Center (NLECTC)–Rocky Colorado, Montana, and Kansas Mountain in Denver, Colorado. “These took the week-long course, a mix data are now captured in the vehicle’s of classroom presentations and black box.” hands-on exercises designed for According to William Mael, a trans- experienced crash scene investi- n a recent television commercial a portation safety consultant in Fort gators dealing with major acci- stressed-out office worker takes his laptop to a park and uses his Collins, Colorado, the technology for dents.
    [Show full text]
  • Securing Wireless Networks in Today’S Connected World, Almost Everyone Has at Least One Internet-Connected Device
    Securing Wireless Networks In today’s connected world, almost everyone has at least one internet-connected device. With the number of these devices on the rise, it is important to implement a security strategy to minimize their potential for exploitation (see Securing the Internet of Things). Internet-connected devices may be used by nefarious entities to collect personal information, steal identities, compromise financial data, and silently listen to— or watch—users. Taking a few precautions in the configuration and use of your devices can help prevent this type of activity. What are the risks to your wireless network? Whether it’s a home or business network, the risks to an unsecured wireless network are the same. Some of the risks include: Piggybacking If you fail to secure your wireless network, anyone with a wireless-enabled computer in range of your access point can use your connection. The typical indoor broadcast range of an access point is 150–300 feet. Outdoors, this range may extend as far as 1,000 feet. So, if your neighborhood is closely settled, or if you live in an apartment or condominium, failure to secure your wireless network could open your internet connection to many unintended users. These users may be able to conduct illegal activity, monitor and capture your web traffic, or steal personal files. Wardriving Wardriving is a specific kind of piggybacking. The broadcast range of a wireless access point can make internet connections available outside your home, even as far away as your street. Savvy computer users know this, and some have made a hobby out of driving through cities and neighborhoods with a wireless-equipped computer— sometimes with a powerful antenna—searching for unsecured wireless networks.
    [Show full text]
  • I Am the Antenna: Accurate Outdoor AP Location Using Smartphones
    I Am the Antenna: Accurate Outdoor AP Location using Smartphones Zengbin Zhang†, Xia Zhou†, Weile Zhang†§, Yuanyang Zhang†, Gang Wang†, Ben Y. Zhao† and Haitao Zheng† †Department of Computer Science, UC Santa Barbara, CA 93106, USA §School of Electronic and Information Engineering, Xian Jiaotong University, P. R. China {zengbin, xiazhou, yuanyang, gangw, ravenben, htzheng}@cs.ucsb.edu, [email protected] ABSTRACT 1. INTRODUCTION Today’s WiFi access points (APs) are ubiquitous, and pro- WiFi networks today are ubiquitous in our daily lives. vide critical connectivity for a wide range of mobile network- WiFi access points (APs) extend the reach of wired networks ing devices. Many management tasks, e.g. optimizing AP in indoor environments such as homes and offices, and en- placement and detecting rogue APs, require a user to effi- able mobile connectivity in outdoor environments such as ciently determine the location of wireless APs. Unlike prior sports stadiums, parks, schools and shopping centers [1, 2]. localization techniques that require either specialized equip- Even cellular service providers are relying on outdoor WiFi ment or extensive outdoor measurements, we propose a way APs to offload their 3G traffic [2, 3]. As Internet users be- to locate APs in real-time using commodity smartphones. come reliant on these APs to connect their smartphones, Our insight is that by rotating a wireless receiver (smart- tablets and laptops, the availability and performance of to- phone) around a signal-blocking obstacle (the user’s body), morrow’s networks will depend on well tuned and managed we can effectively emulate the sensitivity and functionality access points.
    [Show full text]
  • Climate Change Adaptation in the Arab States Best Practices and Lessons Learned
    Climate Change Adaptation in the Arab States Best practices and lessons learned United Nations Development Programme 2018 | 1 UNDP partners with people at all levels of society to help build nations that can withstand crisis, and drive and sustain the kind of growth that improves the quality of life for everyone. On the ground in nearly 170 countries and territories, we offer global perspective and local insight to help empower lives and build resilient nations. www.undp.org The Global Environment Facility (GEF) was established on the eve of the 1992 Rio Earth Summit to help tackle our planet’s most pressing environmental problems. Since then, the GEF has provided over $17 billion in grants and mobilized an additional $88 billion in financing for more than 4000 projects in 170 countries. Today, the GEF is an international partnership of 183 countries, international institutions, civil society organizations and the private sector that addresses global environmental issues. www.thegef.org United Nations Development Programme July 2018 Copyright © UNDP 2018 Manufactured in Bangkok Bangkok Regional Hub (BRH) United Nations Development Programme 3rd Floor United Nations Service Building Rajdamnern Nok Avenue, Bangkok, 10200, Thailand www.adaptation-undp.org Authors: The report preparation was led by Tom Twining-Ward in close collaboration with Kishan Khoday, with Cara Tobin as lead author and Fadhel Baccar, Janine Twyman Mills, Walid Ali and Zubair Murshed as contributing authors. The publication was professionally reviewed by fellow UNDP colleagues, Amal Aldababseh, Greg Benchwick, Hanan Mutwaki, Mohamed Bayoumi, and Walid Ali. Valuable external expert review, comments, and suggestions were provided by Hussein El-Atfy (Arab Water Council), Ibrahim Abdel Gelil (Arabian Gulf University), and William Dougherty (Climate Change Research Group).
    [Show full text]
  • Significant Cyber Incidents Since 2006 This List Is a Work in Progress That We Update As New Incidents Come to Light. If You H
    Significant Cyber Incidents Since 2006 This list is a work in progress that we update as new incidents come to light. If you have suggestions for additions, send them to [email protected]. Significance is in the eye of the beholder, but we focus on successful attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars. 1. May 2006. The Department of State’s networks were hacked, and unknown foreign intruders downloaded terabytes of information. If Chinese or Russian spies backed a truck up to the State Department, smashed the glass doors, tied up the guards and spend the night carting off file cabinets it would be an act of war, but when it happens in cyberspace we barely notice. 2. August 2006. A senior Air Force Officer stated publicly that, “China has downloaded 10 to 20 terabytes of data from the NIPRNet (the unclassified military network).” 3. November 2006. Hackers attempted to penetrate U.S. military War College networks, resulting in a two week shutdown at one institution while infected machines are restored. 4. December 2006. NASA was forced to block emails with attachments before shuttle launches out of fear they would be hacked. Business Week reported that the plans for the latest U.S. space launch vehicles were obtained by unknown foreign intruders. 5. 2006. Chinese hackers were thought to be responsible for shutting down the House of Commons computer system. 6. April 2007. The Department of Commerce had to take the Bureau of Industrial Security’s networks offline for several months because its networks were hacked by unknown foreign intruders.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • E-Commerce Security and Fraud Issues and Protections 10
    E-Commerce Security and Fraud Issues and Protections 10 C o n t e n t s Learning Objectives Opening Case: How State University of New York College at Old Westbury Upon completion of this chapter, you will be Controls Its Internet Use ...................................... 458 able to: 10.1 The Information Security Problem .......... 459 1. Understand the importance and scope of security of information systems for EC. 10.2 Basic E-Commerce Security Issues and Landscape ........................................... 465 2. Describe the major concepts and terminol- ogy of EC security. 10.3 Technical Malware Attack Methods: From Viruses to Denial of Service ............ 471 3. Understand about the major EC security threats, vulnerabilities, and technical attacks. 10.4 Nontechnical Methods: From Phishing to Spam and Fraud .................... 476 4. Understand Internet fraud, phishing, and spam. 10.5 The Information Assurance Model 5. Describe the information assurance security and Defense Strategy ................................. 484 principles. 10.6 The Defense I: Access Control, 6. Identify and assess major technologies Encryption, and PKI ................................. 488 and methods for securing EC access and 10.7 The Defense II: Securing communications. E-Commerce Networks ............................. 494 7. Describe the major technologies for protec- 10.8 The Defense III: General Controls, tion of EC networks. Spam, Pop Ups, Fraud, and Social 8. Describe various types of controls and special Engineering Controls................................. 497 defense mechanisms. 10.9 Implementing Enterprisewide 9. Describe consumer and seller protection from E-Commerce Security ............................... 500 fraud. Managerial Issues.................................................. 504 10. Discuss enterprisewide implementation issues Closing Case: How One Bank Stopped Scams, for EC security. Spams, and Cybercriminals ................................. 509 11. Understand why it is so diffi cult to stop computer crimes.
    [Show full text]
  • CIS 381: Social & Ethical Issues of Computing
    CIS 381: Social & Ethical Issues of Computing Security Dr. David Koop D. Koop, CIS 381, Spring 2019 Hackers, Past and Present • Original meaning of hacker: explorer, risk taker, system innovator (e.g. MIT’s Tech Model Railroad Club in 1950s) • Change in meaning from electronics to computers and networks • WarGames (1983): Hacking military supercomputer • Modern meaning of hacker: someone who gains unauthorized access to computers and computer networks [M. J. Quinn] D. Koop, CIS 381, Spring 2019 !2 Password Advice • Do not use short passwords • Do not rely solely on words from the dictionary • Do not rely on substituting numbers for letters • Do not reuse passwords • Give ridiculous answers to security questions • Enable two-factor authentication if available • Have password recoveries sent to a secure email address [M. J. Quinn] D. Koop, CIS 381, Spring 2019 !3 Case Study: Firesheep • October 2010: Eric Butler released Firesheep extension to Firefox browser • Firesheep made it possible for ordinary computer users to easily sidejack Web sessions • More than 500,000 downloads in first week • Attracted great deal of media attention • Early 2011: Facebook and Twitter announced options to use their sites securely • Evaluate: Was this a good action? [M. J. Quinn] D. Koop, CIS 381, Spring 2019 !4 Viruses • Virus: Piece of self-replicating code embedded within another program (host) • Viruses associated with program files - Hard disks, floppy disks, CD- ROMS - Email attachments • How viruses spread - Diskettes or CDs - Email - Files downloaded from Internet [M. J. Quinn] D. Koop, CIS 381, Spring 2019 !5 Worm • Worm: - Self-contained program 7.3 Malware 329 - Spreads via computer network - Exploits security holes W • Tappen's Internet Worm W W - Released worm onto Internet from W MIT computer - Spread to significant numbers of Unix computers W - Infected computers kept crashing or became unresponsive Figure 7.4 A worm spreads to other computers by exploiting security holes in computer networks.
    [Show full text]
  • How to Improve Data Security and Reduce Potential Liability for Data Breaches
    How to Improve Data Security and Reduce Potential Liability for Data Breaches Randy Gainer, Attorney, CISSP February 12, 2014 Topics . The risks of cyber attacks – Identifying threats – Conducting risk assessments . Choosing cost-effective security measures . Evaluating cyber insurance coverage 2 Identifying threats . If your business processes payment cards, card data thieves are targeting your customers’ card data: Trustwave 2013 Global Security Report, 8. 3 Identifying threats . Targeted malware – Deployed by phishing, poisoned websites, poisoned ads, watering hole attacks, and poorly protected third-party access tools. E.g., • Remote access accounts for service vendors that rely on weak passwords; and • Phished credentials for access to the cardholder data environment (“CDE”). 4 Identifying threats . Targeted malware – Programmed to find, copy, store, encrypt, and exfiltrate payment card data – Customized to avoid detection – Allows attacker to persistently communicate with, and exercise command and control of, the malware inside the target network – Permits an attacker to adapt to defenses (e.g., installs multiple backdoors to maintain attacker’s access). 5 Identifying threats . Targeted malware – Used to find assets on the network to steal: Insight Enterprise Intelligence tool. Used with permission. 6 Identifying threats 7 Identifying threats 8 Identifying threats 9 Identifying threats 10 Identifying threats 11 Identifying threats 12 Identifying threats . Issuers, merchants, and acquirers of credit, debit, and prepaid cards experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year. Card issuers lost 63% and merchants and acquirers lost the other 37%. Business Wire, August 19, 2013, citing The Nilson Report. 13 Identifying threats . Global Payments, Inc.
    [Show full text]
  • Cyberpro December 31, 2009
    Volume 2, Edition 26 CyberPro December 31, 2009 Keeping Cyberspace Professionals Informed Officers The articles and information appearing herein are intended for President educational purposes to promote discussion in the public interest and to Larry K. McKee, Jr. keep subscribers who are involved in the development of Cyber-related concepts and initiatives informed on items of common interest. The Chief Operations Officer newsletter and the information contained therein are not intended to Jim Ed Crouch provide a competitive advantage for any commercial firm. Any misuse or unauthorized use of the newsletter and its contents will result in removal ------------------------------ from the distribution list and/or possible administrative, civil, and/or CyberPro Editor-in-Chief criminal action. Lindsay Trimble The views, opinions, and/or findings and recommendations contained in CyberPro Research Analyst this summary are those of the authors and should not be construed as an Kathryn Stephens official position, policy, or decision of the United States Government, U.S. Department of Defense, or National Security Cyberspace Institute. CyberPro Archive To subscribe or unsubscribe to this newsletter click here CyberPro News Subscription. Please contact Lindsay Trimble regarding CyberPro subscription, sponsorship, and/or advertisement. All rights reserved. CyberPro may not be published, broadcast, rewritten or redistributed without prior NSCI consent. 110 Royal Aberdeen Smithfield, VA 23430 ph. (757) 871 - 3578 CyberPro National Security Cyberspace
    [Show full text]
  • Malware Risks and Mitigation Report
    MALWARE RISKS AND MITIGATION REPORT June 2011 BITS A DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE 1001 PENNSYLVANIA AVENUE NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 WWW.BITS.ORG BITS Malware Risk and Mitigation Report Table of Contents 1. Executive Summary ..............................................................................................................3 2. Malware Evolution................................................................................................................3 2.1 Malware Categories...............................................................................................................................5 2.2 Malware Example .................................................................................................................................8 2.3 Polymorphic Malware ........................................................................................................................10 3. Malware Supply and Demand ............................................................................................ 10 3.1 The Malware Industry ........................................................................................................................11 3.2 Malware Supply Chain........................................................................................................................13 3.3 Beyond Crime......................................................................................................................................14 4. Malware in Financial
    [Show full text]