|
Cyber
Information & Alerts
Click here for the
latest alerts.
Updated
6/11/10
ICS-CERT - Industrial Control
Systems Cyber Emergency Response Team
Click here
for further info
http://www.economist.com/node/16478792/print
The Internet Threat - War in
the Fifth Domain
After land, sea, air, and
space, warfare has entered the fifth domain:
cyberspace. By breaking up data and sending it
over multiple routes, the Internet can
survive the loss of large parts of the
network. Yet some of the global digital
infrastructure is more fragile. More
than nine-tenths of Internet traffic travels
through undersea fiber-optic cables,
and these are dangerously bunched up in
a few chokepoints - for example, around New
York, the Red Sea, or the
Luzon Strait in the Philippines.
Internet traffic is directed by just 13
clusters of potentially vulnerable domain-name
servers. Western analysts think China
deploys the most assiduous, and most
shameless, cyberspies, but Russian ones
are probably more skilled and subtle.
The next step after penetrating networks to
steal data is to disrupt or manipulate
them. If military targeting information
could be attacked, for example, ballistic
missiles would be useless. General
Keith Alexander, Director of
the National Security Agency (NSA) and head of
the Pentagon's new Cyber Command,
says the Defense Department and NSA
started cooperating on cyberwarfare in late
2008 after "a serious intrusion into
our classified networks." Jim Lewis of
the Center for Strategic and International
Studies says this refers to the
penetration of Central Command,
which oversees the wars in Iraq and
Afghanistan, through an infected thumb-drive.
Nobody knows what, if any,
damage was caused. But the thought of an enemy
lurking in battle-fighting systems
alarms the top brass. Cyberweapons are
most effective in the hands of big states. But
because they are cheap, they
may be most useful to the comparatively
weak. They may well suit terrorists.
Fortunately, perhaps, the likes of al-Qaida
have mostly used the Internet for propaganda
and communication. It may be that jihadists
lack the ability to,
say, induce a refinery to blow itself up. Or
it may be that they prefer the gory theater of
suicide-bombings to the
anonymity of computer sabotage for now.
FBI Suspects Terrorists Are Exploring Cyber
Attacks
(posted 11/23/09)
The FBI is looking at people with suspected
links to al-Qaida who have shown an interest in
mounting an attack on computer systems that
control critical US infrastructure, a senior
official told Congress Tuesday. While there is
no evidence that terrorist groups have developed
sophisticated cyber-attack capabilities, a lack
of security protections in US computer software
increases the likelihood that terrorists could
execute attacks in the future, the official
warned. If terrorists were to amass such
capabilities, they would be wielded with
"destructive and deadly intent," Steven
Chabinsky, deputy assistant director of the
FBI's Cyber Division, told the Senate Judiciary
Committee Tuesday. "The FBI is aware of and
investigating individuals who are affiliated
with or sympathetic to al-Qaida who have
recognized and discussed the vulnerabilities of
the US infrastructure to cyber-attack,"
Chabinsky told the committee, without providing
details. Such infrastructure could include power
grids and transportation systems. The control
systems of US infrastructure as well as money
transfers are now connected directly or
indirectly to the Internet. Hackers have been
able to penetrate computer systems running
components of the U.S. electric grid as well as
divert bank transfers. In an interview Tuesday,
former Homeland Security Secretary Michael
Chertoff said al-Qaida already has some
cyber-attack capability. "I don't think they're
the most capable in the world, but they have
some capability," he said.
http://online.wsj.com/article/SB125850773065753011.html?mod=WSJ_hpp_MIDDLENexttoWhatsNewsSecond
All This
Functionality in One Device!
Mobile communication devices (includes Blackberrys,
iPhones, smart phones in general) have become
indispensable tools for today's highly mobile
society. Small and relatively inexpensive, these
multifunction devices can be used not only for
voice calls but also text messages, email,
Internet access along with stand alone
applications similar to those performed on a
desktop computer. A significant amount of
personal, private and/or sensitive information may
accumulate or be accessed via these devices.
Additionally, some of these devices may allow you
to access your home computer or your corporate
network.
What Risks Do They Present?
While the devices offer many benefits and
conveniences, they also pose risks to you and/or
your organization’s security. As these devices
continue to take on the characteristics of
personal computers, they also inherit the same
potential risks. Some of the primary risks include
the following:
-
The portability of the device leads to a
higher likelihood of loss of the device.
Millions of mobile communication devices are
lost each year.
-
When Bluetooth
and/or wireless (not cellular) communications
are enabled, these devices are subject to the
risk of eavesdropping and “highjacking”.
-
“Malware” available, that if installed on your
device, can allow a perpetrator remote access
to your device to listen and record all of
your calls, send text messages to the
perpetrator whenever you make or receive a
call, read all of your messages, make calls on
your behalf from your phone, access all of the
information on your phone, trace your location
and enable the speaker functionally on the
phone to listen in on conversations even when
the phone is not in use.
-
Sites
purporting to offer “free games or ring tones”
are major vectors for distributing malware.
-
While the reports of worms and viruses
impacting these devices are relatively low,
this is expected to increase in the future.
Despite the risks outlined above, many users do
not understand how vulnerable their mobile device
is or how to deploy important security settings
and controls.
What Can I Do to
Secure My Mobile Communication Device?
The
following outlines steps you can take to protect
your mobile communication device. Some of the
steps are dependant upon the functionality of your
device.
-
Use a password
to access your device. If the device is used
for work purposes, you should follow the
password policy issued by your organization.
-
If
the Bluetooth functionality is not used, check
to be sure this setting is disabled. Some
devices have Bluetooth-enabled by default. If
the Bluetooth functionality is used, be sure
to change the default password for connecting
to a Bluetooth enabled device.
-
Do not open
attachments from untrusted sources. Similar
to the risk when using your desktop, you risk
being exposed to malware when opening
unexpected attachments.
-
Do not follow
links to untrusted sources, especially from
unsolicited email or text messages. Again, as
with your desktop, you risk being infected
with malware.
-
If your device
is lost, report it immediately to your carrier
or organization. Some devices allow the data
to be erased remotely.
-
Review the
security setting on your device to ensure
appropriate protection. Be sure to encrypt
data transmissions whenever possible.
-
Enable storage encryption. This will help
protect the data stored on your device in the
event it is lost or stolen, assuming you have
it password protected!
-
Beware of downloading any software to your
device. If the device is used for work,
follow your organization’s policy on
downloading software.
-
Before disposing of the device be sure to wipe
all data from it and/or or follow your
organization’s policy for disposing of
computer equipment.
For more information on securing mobile
communication devices, please visit:
National Cyber Alert System - Cyber Security Tip
ST06-007, Defending Cell Phones and PDAs Against
Attack
http://www.us-cert.gov/cas/tips/ST06-007.html
NIST
Special Publication 800-124, Guidelines on Cell
Phone and PDA Security
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
FTC
Consumer Alert – The 411 on Disposing of Your Old
Cell Phone
http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt044.shtm
WTHR
News story on “Tapping Your Cell Phone”
http://www.wthr.com/Global/story.asp?s=9346833
McAfee – The Web’s Most Dangerous Search Terms
http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf
For more monthly cyber security newsletter tips
visit:
www.msisac.org/awareness/news/
The information
provided in the Monthly Security Tips Newsletters
is intended to increase the security awareness of
an organization’s end users and to help them
behave in a more secure manner within their work
environment. While some of the tips may relate to
maintaining a home computer, the increased
awareness is intended to help improve the
organization’s overall cyber security posture.
Organizations
have permission--and in fact are encouraged--to
brand and redistribute this newsletter in whole
for educational, non-commercial purposes.
Brought to you by: www.msisac.org
Rogue (Fake) Anti-Virus Software: How to Spot It &
Avoid It!
(posted 5/26/09)
Click here for info
Water
Sector Cyber Security Roadmap
The Water Sector Coordinating Council Cyber Security
Working Group has released
The Roadmap to Secure Control Systems in the Water
Sector. This work was undertaken as a
result of the urgent need to secure cyber systems.
The document presents a strategic framework that
considers the risks and vulnerabilities of water and
wastewater utility process control systems, and
identifies milestones for utilities in securing
systems over the next ten years.
Water industry leaders strategize that implementing
this roadmap will result in process control systems
throughout the water sector but with no loss of
critical function in vital applications during and
after a cyber event. This vision confronts the
overwhelming technical, business, operational, and
societal challenges that lie ahead in strengthening
the resilience of critical systems against
increasingly sophisticated cyber attacks.
The
Roadmap
integrates the expertise of a broad cross-section of
asset owners and operators, industrial control
systems experts, and government leaders, who met
during workshops held in September and December
2007. The
Roadmap was developed by the Water Sector
Coordinating Council Cyber Security Working Group
with support from the Department of Homeland
Security National Cyber Security Division and the
American Water Works Association.
(posted 4/15/08)
Click
here to view or download the document.
The
Division of Local Government Services and the State
Office of Information Technology
are continuing its efforts to link government
technology coordinators throughout the State using
GovConnect. This initiative will help public agency
technology coordinators work with their peers and
deliver a higher quality service to the public. If
your agency's tech coordinator has not been
receiving e-mail from us about technology issues,
they should sign up for the service at:
www.nj.gov/dca/surveys/tcsurvey.htm

|