Archive for August, 2011

A new Prespective needd for 21st Cen CyberSecurity Warriors

Catherine Nicholas, manager, PwC’s Public Sector practice August 23, 2011 *

Last month, U.S. Deputy Secretary of Defense William Lynn III announced that the Department of Defense (DoD) was releasing a cybersecurity strategy explicitly recognizing cyberspace as a new and official warfare domain. The Pentagon’s strategy outlines circumstances in which a cyberattack against U.S. computer networks could be considered an act of war. Given recent widely publicized attacks that demonstrate advanced, growing threats in cyberspace, and the creation in 2009 of the U.S. Cyber Command, it is evident that the DoD is beginning to recognize the extreme threat that an organized, targeted cyberattack could pose to national security. With cyberspace as a newly recognized – and extremely complex – warfare domain, our military is now faced with the challenge of defending government networks, and perhaps even critical infrastructure systems relying on commercial networks, just as it has defended land, sea, air, and space. There will be many keys to the military’s success in defending this domain, but among the most important is its ability to recruit, train, and retain talent in this new area, one which is both unconventional and unfamiliar to many of our military leaders. The U.S. military has always been a world-class recruiting and training organization in its traditional warfare domains. Through a variety of recruiting programs that offer an array of professional development opportunities, the military has managed to recruit and retain a world-class, all-volunteer force that is able to meet and maintain mandated recruiting numbers. The military offers a number of tuition assistance opportunities and clear, defined paths for career progression. But while some existing programs may be suitable for recruiting, training, and retaining cyber warriors, a new perspective is needed to obtain both the quantity and caliber of talent necessary to defend the nation’s networks against increasingly sophisticated cyberthreats. Given the tendency toward constant connectivity and collaboration, which at times can conflict with the military’s regulated and restricted information environment, the millennial generation presents its own recruiting challenges. When coupled with the challenge of competing with private sector recruitment for top cyber talent, the U.S. military is faced with a daunting task. The challenge is not dissimilar to the early days of the air domain, when pilots were criticized for their radical views that did not fit neatly into military culture. Cyber practitioners thrive on the ability to foster innovative and unconventional thinking, typically in a highly collaborative environment. This can at times be in conflict with a regulated environment that promotes a regimented career path, which ultimately emphasizes and rewards general leadership over technical expertise in a specific domain. Yet some of the individuals most talented in the cyber domain might not have the same leadership aspirations and might function most effectively as technicians rather than leaders through the duration of their careers. Additionally, the military heavily relies on rank-based assignments; however, the greatest cybersecurity talent will likely resist assignments outside their area of expertise and passion. Given these challenges, how can the U.S. military provide a viable career path that will allow for effective recruitment and retention of talented cyber warriors? While the answer to this question is not straightforward, it is clear that more innovative human capital strategies are needed to address these significant challenges. To be successful, the U.S. military should consider some key differences in its approach to recruitment in the cyber domain. Develop a viable career path for individuals with specialized cyber skill sets, and advertise this career path in recruiting messages. The DoD should not limit its options when identifying the attributes of a cyber warrior and his or her typical career path. Officer, enlisted, and even civilian career paths should all be options. Some services may find it beneficial to devise a warrant officer career path for cyber warriors that are willing to invest the time it takes to develop and hone specialized, technical expertise in the cyber domain. Additionally, leadership positions should not necessarily be a required outcome in career progression unless specifically desired. While the military needs cyber warriors in its officer ranks, providing an officer path alone will not yield the large number of resources that are needed. For those cyber warriors who do desire leadership positions, offer the option of promoting these technical liaisons into leadership roles. The military needs technical liaisons to explain the mission impact of identified cyberthreats and vulnerabilities to military leaders and decision makers. Even in a controlled environment, find methods for embracing diversity of thought and collaboration. The environment in which cyber warriors will thrive is a highly collaborative one that encourages free thinking and innovation. Working side by side in a think-tank-like environment can produce a connection for like minds to collaborate and excel. This can even serve to reduce formal training costs because often the best training in this domain can occur on its own by physically or virtually collocating several passionate people to facilitate their knowledge sharing. Do not force cyber warriors into alternate career paths. Due to the specialized nature of the skill sets required by the cyber warrior, this discipline tends to draw people very passionate about the subject matter, individuals who will be largely disinterested in assignments outside the cyber domain and will serve the military best behind a computer rather than on the battlefield. The military should re-examine its rotation practices and rank-based assignments when allocating resources within the cyber domain. Find ways to reward technical expertise and increase retention. This is a challenging pursuit because private industry typically offers higher compensation for the skill sets the military is seeking. There are many methods for providing incentives, including more traditional tools already in use, such as tuition payment and specialized training; however the best way to reward the cyber warrior is with the opportunity to learn something new. The appeal of working in an environment that allows for exercising the latest and most innovative technologies will be the military’s best retention tool. The introduction of simulated environments to promote skill building, collaboration, and innovation could in many cases be its own reward for the cyber warrior.


1 Comment

Travelodge blames ‘vindictive individual’ for email database breach

The Register, By John Leyden, August 5, 2011

Travelodge UK has confirmed that a customer database security breach was behind the recent run of spam emails to its customers. Customers complained in June after receiving spam messages punting suspicious-looking “work-at-home opportunities” to email addresses they only ever used to make reservations with the hotel chain. Travelodge admitted the incident, which it has repeatedly assured clients did not involve personal financial information. It promised to bolster its security, as well as referring the matter to data privacy watchdogs at the Information Commissioner’s Office (ICO). Travelodge assured customers at the time that it had not sold on its customer details, which left the possibility that the exposed email list has either been leaked or that the relevant database had been hacked. Reg reader Jeff, one of those exposed to the Travelodge spam, pressed the hotel chain for a fuller explanation, minus the corporate marketing speak. Jeff forwarded copies of a second work-at-home spam email, sent in mid-July, with his query. In reply, Jeff received an ambiguously worded statement from Travelodge (extract below) that suggests Travelodge’s email database was indeed hacked into prior to the distribution of the offending messages. Travelodge has thus far failed to respond to attempts to clarify whether the “vindictive” individual who had “access to an unencrypted section of our marketing database” was an external hacker or a disaffected or corrupt worker.

Leave a comment

Millions hit in South Korean hack

BBC, July 28, 2011

South Korea has blamed Chinese hackers for stealing data from 35 million accounts on a popular social network. The attacks were directed at the Cyworld website as well as the Nate web portal, both run by SK Communications. Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites’ many millions of members. It follows a series of recent cyber attacks directed at South Korea’s government and financial firms. Details of the breach were revealed by the Korean Communications Commission. It claimed to have traced the source of the incursion back to computer IP addresses based in China.

Leave a comment

Suspected Anonymous hacker ‘had 750,000 passwords’

Naked Security (Sophos), By Graham Cluley, August 1, 2011

A London court heard this morning how 18-year-old Jake Davis allegedly had the login passwords of 750,000 people on his computer when he was arrested in the Shetland Islands last week. Davis is suspected by the authorities of being “Topiary”, the public face of the Anonymous and LulzSec hacktivist groups. According to a report in the Daily Telegraph, Westminster Magistrates’ Court heard that Davis was charged with five offences including unauthorised computer access and conspiracy to carry out a denial-of-service attack against the Serious Organised Crime Agency’s (SOCA) website, which overloaded the site with traffic. Furthermore, prosecutors are reported to have claimed that Davis’s laptop was found to contain the fake article announcing Rupert Murdoch’s death that visitors to The Sun’s hacked website saw for a period of time earlier this month.

1 Comment

University of Arizona computer security hacked?

By DA Morales on Aug. 4, 2011

The computer security at the UA seems tough to beat, or so it seemed until last night. If you have ever had to set up a password with the UA, they require you to change it once a year, and the new password selection process is grueling as you choose not a password but a “passphrase” that has to be about as a long as a midterm report. It can also bare no resemblance to your former passphrase in any way, and I would always end up forgetting my passphrase in about a week and starting the process all over. Despite this heightened security, last night the employee listserv (mailing list) was compromised and a very disturbing photo was sent to all recipients.

Leave a comment

Sun admits data stolen amid fresh hack claims

PCPro, By Stewart Mitchell, Aug 2, 2011

UPDATE: Personal details of thousands of Sun readers have been posted online following a potentially previously undisclosed hack attack on News International. The paper’s parent company sent out warning letters to readers explaining that compromised information could have been posted online, but it remains unclear when the data was harvested. Initial reports suggested the details were stolen at the same time as a July 19 intrusion, when hackers broke into the site posting false stories about the death of News Corp CEO Rupert Murdoch. However, the hacker claiming responsibility for the posting – under the Twitter name of Batteye – said the details posted online came from a completely separate attack. “Oh, the Sun haven’t a clue,” he tweeted. “I got my goodies before the 19th!”News International has admitted the problem, but believed the data was stolen in the July break-in.

Leave a comment

Citigroup Reports Security Breach – Idiots

The Street, By Shanthi Bharatwaj, 08/05/11

Citigroup has once again become a victim of a security breach. This time, it is the credit card unit in Japan. Citi Cards Japan said in a statement on its Web site that “certain personal information of 92,408 customers has allegedly been obtained and sold to a third party illegally.”  Information compromised included account numbers, names, addresses, phone numbers, date of birth, gender and the date the account was opened.  Citi has confirmed that personal identification numbers and security codes (CVVs) were not compromised. In June, Citi disclosed that hackers stole $2.7 million from 3,400 customers in North America in May following a major data breach. Citi was criticized for not reporting the breach sooner.  Citi Card Japan said it immediately reported the inappropriate sale to the relevant authorities and the police, has placed internal fraud alerts and enhanced monitoring on all accounts affected. So far no unusual or suspicious credit card transactions have been detected.  Should fraudulent transactions occur, affected customers will not be held responsible, the unit said in its statement.

Leave a comment