IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cyber Security Summit Outlines Evolving Threats, Solutions

"The person who owns the data, needs to take responsibility to make sure it is secure. Each individual has some responsibility"



Presenters (L to R) panel member Gabriel Carrejo and moderator Bert Wakeley of Citrix; Mark Reardon, CISO of the Georgia Technology Authority; Richard W. Downing of the DOJ; and Terrence Fisher of the FBI

GTC's Wednesday afternoon Cyber Security Summit featured a keynote by Richard W. Downing, senior counsel of the DOJ's Computer Crime and Intellectual Property Section, followed by a panel of security heavyweights from industry, the FBI and the Georgia Technology Authority.

Downing, who developed parts of the Patriot Act, trains investigators and prosecutors on emerging technologies and works on undercover investigations and prosecutions. Downing said his section has about 40 attorneys with a wide range of responsibilities, involving prosecutions of hacking and intellectual property (IP) violations.

His overall message, he said, is that attacks on networks are a serious and growing problem, and he covered five areas of concern:
  • financial motivations of hacking
  • threats to critical infrastructures
  • coordination with "ordinary" criminals
  • new attack vectors
  • and the internationalization of the problem.
Financial motivations.
In the past, said Downing, hackers were often tech savvy young people who worked alone, had no social life, and often targeted companies where they worked. Today, that has changed. An annual study by the FBI and CSI tracks companies and agencies and what changes they see in security threats. Last year, said Downing, the study revealed a shift to attacks on e-commerce companies where the target is credit card numbers, and data on payments and transactions. Downing showed examples of Web sites selling credit card information.

"Botnets" are also a growing problem, in which a distributed network of as many as 190,000 computers are infected by worms or other malware and are then controlled by hackers who can use the system to hide the source of spam, or can overwhelm a Web site with traffic and shut it down. This threat is used to extort money from businesses who cannot afford a shutdown and who are convinced that law enforcement measures will not help them. For example, Downing cited a 2003 attack on a business that caused $200,000 in direct damages and an additional $1 million damage and disruption to the company's ISP. One person -- who was a business competitor of the target -- paid hackers less than $2,000 to conduct the attack.

Threats to Critical Infrastructures
Threats to critical infrastructures are becoming more frequent, and this is obviously a source of concern to government agencies. Downing cited a 1998 case in which a telephone switch was hacked that affected landing lights at the Worcester, Mass., airport. And in 2000, a hacker in Queensland, Australia broke into a system through a wireless network and released sewage before he was caught. And a 2002 a worm shuts down train signaling in many Midwestern states. And finally, a worm got into a nuclear power plant's safety system. Luckily the plant was not operational at the time, said Downing.

Coordination With "Ordinary" Criminals
Recently organized crime -- such as in Eastern Europe -- has become more involved in cyber crime, said Downing. Shadowcrew.com, for example, was very well organized in pursuit of hacking, network intrusion, fraud, identity theft, credit card fraud and financial institution fraud. They and similar groups generated a huge secondary market in stolen credit card numbers.

New Attack Vectors
Wireless has opened up more doors for hackers, said Downing. It is very easy to drive around with a laptop and antenna made from a Pringles can looking for unsecured 802.11 networks. In one week in Chicago, for example, a hacker mapped more than 80,000 access points.

Once wireless networks are found, they

  • can be used in a sort of "hit and run" fashion to send spam, intrude on related networks etc. But courts are handing out stiffer penalties. Downing cited the example of hackers that entered a retail chain's network from a car in the parking lot, penetrated the chain's network and began committing fraud. They were caught and convicted and one of the perpetrators was give nine years in prison because of a prior hacking conviction, the financial motive and damage to the system.

    Internationalization
    The 2004 writer of the Agobot worm was arrested in Germany. The 2005 Zotob authors were arrested in Morocco and Turkey. Criminal activity is easy to perpetrate, and difficult to investigate if it occurs or is routed through other countries. Knowing that, cyber crimes are frequently routed internationally, said Downing.

    "We often can't serve legal process in another country," said Downing, "and we must ask for assistance for law enforcement there." Some countries may not have laws in place to prosecute such crimes. Complicating the problem, said Downing, is that every country must have the same laws, or the crimes will be shifted to countries that lack them.

    Solutions
    "At the federal level we have done well," said Downing, "and state and local agencies are getting on board. We need to do better coordination with industry, and with the victims of these crimes, as some not reported." Downing said that some companies, for example, are unsure as to where to report, or are unwilling for some reason.

    Downing said his section is working to assist other countries to make it a priority, worked on a cyber crime convention, and 41 countries are now part of a network that have savvy points of contact. "Investigators can at least preserve the evidence while the slow legal assistance processes go forward."

    Downing emphasized, and the members of the round table that followed also stressed that it all comes down to individuals and organizations becoming aware of the necessity for securing systems.

    Security Panel
    Panel participants outlined security measures taken in their own areas of responsibility. Terrence Fisher of the FBI for example, said that agents are not allowed to use e-mail, and there is no wireless allowed in headquarters. Some managers have e-mail and there are secured systems that can be used, but for now, wireless and e-mail are seen as just to insecure for the kind of work the FBI does. Even Blackberries can send only to a secure server, and desktop computers have no CD or floppy drives or USB ports.

    Mark Reardon, the Georgia Technology Authority's chief information security officer, said that making security absolute defeats the need for user access and convenience. However, he said, training staff on security matters helps them understand its importance. Years ago, he said, security had a "hard outer shell with goo on the inside." Now that has changed and it is a lot easier to catch misuse by insiders.

    "The biggest challenge is awareness," said Reardon. "The person who owns the data, needs to take responsibility to make sure it is secure. Each individual has some responsibility."

    The message of training and awareness seems to be working. A poll of the audience showed that 37 percent of those attending worked in agencies that had updated their wireless security policies within the past six months.

    However some troubling questions remain. What is your agency's policy on sharing passwords with co worker when on vacation? Are you allowed to put a CD from home into your work computer? Many help desks spend 80 percent of their time resetting passwords that staff have forgotten. Some still write them down and stick them on their desks, especially on infrequently used systems.
Wayne E. Hanson served as a writer and editor with e.Republic from 1989 to 2013, having worked for several business units including Government Technology magazine, the Center for Digital Government, Governing, and Digital Communities. Hanson was a juror from 1999 to 2004 with the Stockholm Challenge and Global Junior Challenge competitions in information technology and education.