September 5, 2012 By Wayne Hanson
Gen. Keith B. Alexander, head of the United States Cyber Command, warned recently that between 2009 and 2011, cyberattacks on American infrastructure has increased seventeen-fold. Attacks on critical infrastructure such as water, electricity, communication and computer networks are escalating, and would have serious consequences if successful. That puts a heavy burden on cities and counties to protect their systems, especially with reduced budgets, few staff and fewer jurisdictions having chief information security officers.
Attacks are a problem around the globe. A just-released 2012 Norton Cybercrime Report, for example, said that 1.5 million people fall victim to cybercrime daily, at a cost of $110 billion annually. Two-thirds of adults online have been the victim of cybercrime at some time, and nearly half of them have fallen victim to malware, viruses, hacking, scams fraud and theft in the past year.
For those dreaming of a silver bullet to solve the problem, Steven Bellovin, Columbia University professor of computer science, said a few years ago that "the odds on anyone ... finding a magic solution to the computer security problems are exactly zero. Most of the problems we have are due to buggy code, and there's no single cause or solution to that. In fact, I seriously doubt if there is any true solution; buggy code is the oldest unsolved problem in computer science, and I expect it to remain that way."
So in the absence of a panacea for this infuriating, expensive and seemingly intractable problem, what can cities and counties do to protect themselves — especially if their IT departments have been slashed, with not a chief information security officer in sight?
There is no single way to avoid getting sick, and likewise no single way to avoid all cyberattacks. But there are numerous strategies to reduce one’s chances for trouble. Will Pelgrin, CEO of the Center for Internet Security, likens it to layers of an onion, and there are simple steps anyone can take to reduce the likelihood of a successful attack on computers, data and systems. Here are two very basic steps you can take. You’ve no doubt heard them before, but that’s because they are fundamental to security:
1. Use Strong Passwords and Firewalls: Passwords are inconvenient, especially strong ones, as they are hard to remember. But like the keys to the front door, passwords allow entry to systems and data. You can check the strength of your password here. Pelgrin said not to use the same password for your home computer or home system that you use at work. It would be like using the same key for your house, car, office and storage facility. If someone makes a copy of that one key, they have access to everything. If hackers get into one system, they can try that password on any other systems (social networks, mobile devices, etc.) that you use. “Keep your city or county password strong and don’t use it anywhere else,” and change passwords regularly, said Pelgrin,.
The next layer of the defensive onion is a firewall. Many people don’t know what they are for, and don’t activate them. If someone knocks at your front door, you would most likely find out who they are and what their business is before inviting them in. A firewall does that for your computer. It analyzes traffic coming from the Internet, for example, that’s going into your computer system. The firewall allows some traffic and stops others based on operating rules designed to protect your computer or system from attacks. Most firewalls offer a choice of “on” or “off.” To have this layer of protection, make sure your firewall is on.
2. Use Anti-Virus Software and Keep it Updated: Viruses are so named because they make copies of themselves, and infect computer systems by traveling from computer to computer over the Internet or wirelessly. They can erase, change or steal information — even hijack your computer and allow someone else to use it. Your protection against biological viruses are immunizations and isolation; your protection against digital viruses is anti-virus software and behavioral measures such as not opening suspicious email. Anti-virus software should always be installed and kept updated, said Pelgrin.
Pelgrin recommended the Australian government's security mitigation strategies, which include the following items:
3. Applications: Patch applications such as PDF viewer, Microsoft Office and Java within two days of threat notification.
4. Operating System: Use the latest operating system version and patch within two days for vulnerabilities.
5. Access: Restrict the number of users with administrative access privileges to those who actually need access.
6. Whitelist: Whitelist applications to help prevent malicious software and other unapproved programs from running, e.g. by using Microsoft Software Restriction Policies or AppLocker.
Risk will never be eliminated, said Pelgrin, but a jurisdiction can reduce exposure significantly with a few simple actions.The last four items above, he said, by themselves would prevent 85 percent of all cyberattacks.