Monthly Archives: August 2013

Motivating adoption of cybersecurity frameworks

US-WhiteHouse-LogoThe Federal government is seeking to motivate businesses that operate our nation’s critical infrastructure systems to voluntarily adopt a Cybersecurity Framework currently under development by NIST (National Institute of Standards and Technology).  These systems include the electricity generation and distribution grid, transportation systems, and drinking water storage and distribution systems.  A preliminary draft is available now here and it will also be presented in two weeks at the University of Texas.

Roughly simultaneously, the Departments of Homeland Security, Treasury, and Commerce have been developing various options to try to provide incentives for companies to voluntarily adopt the Framework.  Per the White House Blog, there are eight core areas or approaches to incentives under consideration.

  1. Engage the insurance industry to develop a robust cybersecurity insurance market.  As discussed in an earlier post, this is not without it’s challenges.
  2. Require adoption of the Framework for consideration of Federal grants related to critical infrastructure or include as a weighted criteria as a part of the grant evaluation process.  This seems reasonable to me, though it only incentivizes those companies applying for Federal grants (but maybe that’s most companies?)
  3. Expedite government service provision for various programs based upon adoption of the voluntary Framework adoption.  Again, seems logical, though this one seems a short step away from changing the ‘voluntary’ part of the Framework adoption.
  4. Somehow reduce liability exposure of companies that adopt the Framework.  Per the White House Blog, this could include reduced tort liability, limited indemnity, higher burdens of proof, and/or the creation of Federal legal privilege that preempts State disclosure requirements. If one were a cynic, that last one could sound like buying a loop hole.  This whole core area of modifying liability seems to be to be pretty tough to manage, particularly to manage transparently and equitably.
  5. The White House Blog says that “Streamlining Regulations” would be another motivator for participating companies.  I don’t get this one.  I don’t understand how the government could “streamline regulations” for one company but not for another.  Sounds to me like interpret the law one way for one company and another way for another company.
  6. Provide optional public recognition for participating companies.  This one seems like a good idea.  Sort of a Good Housekeeping Seal of Approval, Better Business Bureau endorsement, or similar to Joint Commission on Accreditation of Healthcare Organizations endorsement for hospitals.
  7. Companies in regulated industries such as utilities could be offered some sort of rate recovery contingent upon adoption.  This seems reasonable logically, but I would imagine a bear to implement and manage (which is kind of a theme for many of these).
  8. The White House Blog says that “cybersecurity research” is an incentive.  This one I don’t get either. How does identifying weak spots in the Framework and encouraging research in those weak areas motivate Framework adoption? I mean it’s a good thing to do, but how does that make any one particular company want to participate.

While these are proposals for incentives for critical infrastructure companies, I’m wondering if some of these can serve as a model for SMB’s for adoption of cybersecurity standards for SMBs. Adjusting cyber insurance premiums based on participation would seem to be an obvious approach. However, as has been discussed previously, a mature cyber insurance market does not yet exist and it’s not a slam dunk that one will evolve sufficiently fast to address this need.  For SMB’s seeking government grants, to include SBIR (Small Business Innovation Research) grants, compliance with an SMB cybersecurity framework would seem to be a no brainer. Also, optional public recognition for compliance with an SMB cybersecurity framework would seem to be a practical approach.

What would motivate you as an SMB to adopt an established Framework?

Think it’s okay to keep running Windows XP?

From this Microsoft blog.

This was an eye opener to me.  I would have thought XP infection rates were in the ball park of Windows 7. And this is while XP is still supported!

While there is some obvious self-interest for Microsoft to promote migration from XP, my gut is that this is reasonable data.

What percentage of your computers are still running on XP?


Tipping Point

“Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point where the economic losses generated by cybercrime are threatening to overwhelm the economic benefits created by information technology. Clearly, we need new thinking and approaches to reducing the damage that cybercrime inflicts on the well-being of the world.”

John N. Stewart, Senior Vice President and Chief
Security Officer at Cisco in Cisco 2013 Annual Security Report.


Watering Hole Attacks

lion_at_watering_hole_Wallpaper__yvt2The biggest innovation in targeted attacks by malicious actors in the past year is in what is called Watering Hole Attacks, according to the Symantec Internet Security Threat Report 2013.

A Watering Hole Attack is indirect in that instead of attacking the target directly, malicious code is placed on sites that the target is known to visit.  According to Threatpost, watering hole attacks have been “used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations.” Two popular watering hole attacks in the past year have been on the Department of Labor and on the Council of Foreign Relations website.  Watering hole attacks have also been used on Facebook, Apple, and Twitter users when malicious code was inserted on a popular iPhone software development site.

How it works:

Watering hole attacks have multiple phases in their implementation:

  1. Victims/targets are researched and profiled to identify what sites that group (or individual) visit or are likely to visit.
  2. Those identified websites are tested for vulnerabilities
  3. Malicious code is injected on these sites
  4. At this point, the “watering hole” site is infected and ready to deliver malicious code to the targeted visitor when they appear.
  5. Upon visiting an infected site, the targeted visitor is redirected to another site where a separate bit of malicious code is downloaded onto the user’s computer.  At this point, the attacker has control of the targeted user’s computer.

One of the reasons that watering hole attacks are effective is that, in many cases, the watering hole website — that has been infected and is waiting to download malicious code — cannot be “blacklisted” because it is a legitimate site and needs to be operational.  An example is the Department of Labor site.  The site needs to remain available.

 What to do:

The primary activity that SMB’s can do to reduce the risk of watering hole attacks is to keep software current, aka “patched.”. For example, on user computers running Windows, allow Windows to auto update its operating system.  Larger companies might have the resources to employ network analysis and detection as well as data analytics to mitigate the watering hole attack. However, as we know, the expertise, staffing, and time for this sort of activity is typically not available to SMB’s.


What work-related (or non-work-related) websites do you or your employees visit?

DDOS attacks growing in size but shortening duration

ddosinfogramJeff Wilson with Infonetics Research suggests that attack motivations include:

  • politically motivated
  • state-sponsored electronics warfare
  • social activism
  • organized crime
  • general mischief


  • more than 2500 DDOS attacks per day
  • over 1100 botnets active as of end of July
  • duration of attack trending down — 86% < 1 hr

Network Computing suggests that reasons for increased attack size stem from:

  • increased capability of hosts (faster computers)
  • many more highly effective botnets are active 
  • businesses have higher capacity, so attacks need higher capacity in order to execute an effective DDOS attack