Internet Security Systems - AlertCon(TM)

National Cyber Security Awareness Month

Posted by John Kuhn on October 05, 2010 at 1:02 PM EDT.

Since 2001 the month of October is observed as National Cyber Security Awareness Month in the United States of America. The initiative is sponsored by the National Cyber Security Division (NCSD) of the Department of Defense.  The purpose of the month is to raise awareness around the cyber threats, and safeguards from them.

2010 is the year that we really need to take this awareness month to heart, as the current state of Internet threats is far more life impacting then years past. Malware sophistication is inevitably increasing and most are now part of elaborate botnets with the ability to steal information, or launch attacks against other computer systems.  The command and control mechanisms used in these botnets are often proprietary and sometimes encrypted to evade standard protection.  What's that mean to you? It means that the bad guys are motivated, and the biggest motivator of all is money. 

Recent new reports discussed the arrest of multiple individuals by the Ukrainian police for using the Zeus botnet toolkit to steal $70,000,000 from US and UK bank accounts.  These bank accounts were not Fortune 500 companies, they were small to medium sized businesses, municipalities, and individuals duped by the trojan and their online banking information subsequently stolen.  Zeus itself is not a singular group of people or botnet, it's a toolkit that people can use to build their own money stealing ring of hijacked computers.  The surprising part to many is that the toolkit is rather cheap from $100's to $1000's depending on the level of sophistication you require, providing a heavy return on investment for the criminal.  It's important to know that many of the mechanisms used to spread Zeus can be avoided with a security first attitude.  Importance needs to be placed  on training users to not open suspicious attachments, or download unknown content and programs that might be harmful.

Larger businesses and enterprises with classified information not only face threats such as Zeus, they also face highly targeted attacks like Advanced Persistent Threat.  The concepts of APT were new to many, but old hat for security researchers who have seen many targeted attacks in the past.  Some interesting aspects became highlighted during the more publicized attacks like Aurora, where it was relatively easy to enter a large company’s network with some very low tech means.  The castle wall mentality of securing only your border no longer holds.  We need to put more focus back on layered security throughout our entire network.  Cyber security education is now a must, training people to have not only good judgment online, but what's accepted in your corporation’s network.  The easiest point on a network to attack is at layer 8 (the user), and proper education is a solid safeguard against these attacks.

Stuxnet has been making many headlines recently and is dubbed by some as the “Malware of the Century”.  There is no doubt the level of sophistication used in the malware is unprecedented, and the criminals definitely had a goal in mind.  The worm however shows us a little of what cyberwar could be, attacking control systems is a real danger to everyday people and their lives.  While the issue of cyberwar seems over many of our heads, awareness can only help us all to understand the issue and keep us from aiding any initiatives.

These are just a few examples of why Cyber Security Awareness Month is an excellent idea, and the lessons we hopefully learn this month will carry with us throughout the year. 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.