Information systems security and the ongoing consequences of always being reactive – 16: the internet of things and the emergence of next generation DDoS attacks
This is my sixteenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and loosely following for Parts 5-15.)
In a very real sense this is also a posting where I find myself writing out of order from what I have been intending, as circumstances intervene and provoke a rethinking of that. I had been planning to write to this blog about the internet of things for several months now, and I am still planning on doing so. But I see reason to start addressing that more general topic area here, and before building a more organized framework of discussion on it, with at least a brief discussion of its information security implications coming first.
In anticipation of that fuller discussion, I would divide the internet of things paradigm into two distinct if connectible approaches:
• The Internet 1.0 of Things where more and more items and objects are tagged and in ways that can be connected into the internet and tracked through it.
This is, in its extreme, where every item or object that can be RFID tagged is and if it is not RFID tagged then it is either standard 1-dimensionally, or 2-dimentionally barcode tagged. Think of this as enabling a universal supply chain capability and this is where the number of nodes on the internet could conceivably expand out from the billions of computers, tablets, handheld and smart phones and the like of today to include trillions and more connected points – with all of those tagged items passively interacting as they are tracked and remote inventoried for identity and position.
• The Internet 2.0 of Things where more and more nodes and types of node are added that do communicatively, 2-directionally interact with the internet and with other nodes, and more actively and even proactively than would be possible with simple ID tagging.
This is where the dream house of tomorrow comes in where a smart refrigerator would know that you have only one egg left in and that you are about to run out of milk and that you always want at least six eggs and a half quart of milk on hand – so it orders them as per routine programming from Fresh Direct, verifying that you have not already done so first. More real-world and here-and-now this is where you can use a smart phone app and a smart and connected thermostat to raise the temperature of your house back up to the “return home” setting, from a colder “away” setting on a Winter weekday when you realize you will be getting home early. And for purposes of this posting that also includes an increasing number of devices that we do not think of as computers or as being connected to the internet per se at all – but that are. And as an example there, I cite the cable box that so many of us have hooked up to our televisions for accessing and connecting into a programming content provider service such as Time Warner Cable. We tend to think of those boxes as being nodes in dedicated, special use systems – in this case limited to accessing television programming service. But those same set-top boxes can be used in combination with an internet service such as Netflix’s instant viewing service, to access a streaming version of a movie – via the internet and directly to our televisions.
• The primary source of vulnerability that we all face in online and information security, and in computer systems security is always “the unexpected.”
When we as end users do not think of those cable boxes – or other online connected and connectible resources as computers and as being at least potential internet nodes we do not think about securing them from outside access or control. When the cable service provider and others who send these resources out and set them up for their customers do not think about them that way either, each and every single one of them set up and connected in becomes a target of opportunity for black hat hackers.
The internet of things, and particularly in its 2.0 form creates a whole new world of exploitable opportunity for black hat hackers and particularly when the potential for this is left open and unexpected. And this brings me to the specific threat assessment topic of this posting: the emergence of a whole new type of distributed denial of service attacks (DDoS) that capitalize on the, in this case distributed vulnerabilities of cable boxes and more, as new sources of third party controllable online activity – and with the capabilities for assembling larger botnets than ever before out of them.
We are already beginning to see this new and emerging arena of vulnerability being exploited, and certainly for those set-top cable boxes. The prospect of the fully wired home with refrigerators and thermostats and more able to connect online for remote home-SCADA management indicates that this arena of emerging vulnerability will only become more important. Imagine all of this as being vulnerable to outside botnet control – and that just takes household devices and resources into account that on their own, number far more at least potentially than all desktop, laptop and other computers that are suborned in a traditional DDoS attack – and all servers that would be targeted. Now add in the still wider potential for expanding this out in a more general internet of things, and particularly an internet 2.0 of things that is more generally and globally developed. And of course DDoS attacks only represent one possible form of attack here.
As I noted at the beginning, my original intent was to delve more into what an internet of things is first, and then with that as foundation turn to consider its security issues and how they might be addressed. But the order I am presenting this in here may in fact be the best, as:
• It is vitally important that potential information security and related issues be understood and addressed from the beginning, and from initial design and implementation rather than waiting until systems are in place and infrastructure built – and any response would have to be piecemeal and reactive.
I will add in that context and as a historically all too well known example, it is all too easy to spoof the actual identity of an email or other online content sender. That, in principle at least, could have been addressed and forestalled early on and even at the very beginning ARPANET stage of internet development when the initial core connectivity protocols were first being developed. That was not done, and source authentication was not built into the core networking architecture of the internet and from the beginning, and we are still dealing with the consequences of that lack of foresight as they continue to unfold.
I am going to start a series on the internet of things soon now, in follow-up to this posting. Meanwhile, you can find this and related information security-related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 15: putting the puzzle together as a strategic and operational process 3
This is my fifteenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-14.)
I usually write my postings to this blog fairly quickly and without any real pause – I know basically what I want to cover in them and how, and simply flesh out the details as I write, knowing I can add another series installment if needed. I have, however, been thinking about this posting for several days now – and in this case precisely because I do know and clearly, the basic message that I would seek to convey. In a real sense this posting is what this entire series has been building towards.
I sit down to write this thinking of the meat-grinder conflict of World War I, and of how so many, trained and equipped for a previous century’s war were thrown into a trench warfare environment dominated by machineguns and early stage but still deadly armored weapons such as tanks. And it is in this setting that men on horseback, as if still 19th century cavalry, met chemical warfare and the strafing of aerial attack.
• Millions died and have seemingly always died because potential next wars are prepared for as if their general officers were going to fight the last war.
And I write this with a conversation in mind that I participated in a couple of years ago at the end of a cyber-security meeting. And I was talking with a speaker who had just given a detailed and I admit interesting presentation and this speaker and his aide had a lot to say, some of which was probably not intended. The speaker was a General officer and his aide was a Full Colonel and both were actively serving in and leading in the national cyber-defense effort. And what they had to say and their focus of concern sent chills down my spine and brought me to think of those soldiers in the trenches of World War I then too. Their primary concern, as far as safeguarding mission-critical systems was in safeguarding networks, and particularly government command and control networks – from threats like denial of service attacks. So they spoke of packet authentication and other defensive approaches. They were preparing to fight and to mount a defense from what could only be seen as a last war mentality.
I have been writing in this series about a series of issues and factors that would perhaps serve as grounds for reconsidering the nature and targets of potential cyber-threats and both from private sector and governmental/military sources, and stealth is likely to be the hallmark of any serious 21st century military-based or large scale private sector-based attack, with efforts made to install malicious software that would not show itself or even be readily detectable unless and until activated. A frontal assault denial of service attack, if launched, might only be developed as a distraction and a diversionary tactic. And the real targets of any large-scale and definitive attack might be found more in largely private sector national infrastructure systems such as power grid and communications SCADA control systems, than anywhere else – as successfully targeting them could in principle paralyze an entire country.
I tend to be circumspect and do not, for example, generally name my consulting clients when I write to this blog. I do not name them in my LinkedIn profile either. And I have been known to mask at least some identifying details when drafting case studies from my own work experience. But I have decided to write more bluntly here and to more directly express these concerns here. And with that as an all too real-world case study example I state that private or public sector or combined:
• We cannot defend ourselves from cyber-threat if we only think in terms of and prepare for a last war, and as if next-war potentials were not and could not be developing around us.
History has shown the foolhardiness of a last war mentality in more traditional military conflict. And if anything, the pace of technological development in computers and networked systems, and in their uses have made this concern even more pressing for any potential cyber-conflict arena.
I have alluded, much more obliquely to this meeting and conversation before in this blog, at least once, and spell out its issues and my concerns stemming from it more clearly and directly here. And that is why I paused and thought before writing this for open online publication. The officer I wrote of above is very intelligent and highly trained – with a PhD in electrical engineering and a background that is fairly solid in computer systems hardware among other things. But the generals of World War I were intelligent, articulate, educated and experienced too – even as they sent horse cavalry to the barbed wire and machinegun trench warfare environment of that conflict.
The basic principles and concerns that I write of here apply across the board for acknowledging and dealing with cyber-threat. We can do better and we must. And I finish this posting and this series with that, and looping back in my thoughts to the reactive versus proactive lines of argument that I have raised here, and the other issues that I have touched upon – as only one small part to a larger and more complex story.
I might very well find myself coming back to this topic area in future postings. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 14: putting the puzzle together as a strategic and operational process 2
This is my fourteenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-13.) It is also a direct continuation of Part 13, where I first wrote of the first, second and now rapidly approaching third waves of black hat hacker and cyber-criminal activity.
To repeat, or at least expansively paraphrase from the end of Part 13 and continue from there:
• Early, first wave hackers primarily sought to show their prowess and count coup by proving that they could gain access to computer systems. Their vulnerability identification efforts were closely held as proprietary to themselves so as to limit competition from their peers, and the exploits that they developed were highly individual and crafted as exercises in their personal technical mastery.
• Second wave black hat hackers then moved in with a strictly for-profit motive. Some, of course have shown as high a level of computer technology savvy and expertise as any first wave hacker, but here that skill and its fruits became commoditizable products and services, and the buyers of their efforts need not be computer technology experts of any type – only business people who see value in these business supporting capabilities.
• At the same time that first wave hacking was being supplanted by a second wave as the primary source of motivation for malicious online and computer-targeting activity, the first low level and ineffective efforts to standardize and streamline exploit development began to take form. And I have already noted that, at least for those first steps in Part 1 where I wrote of script kiddies, who either attempted to hand assemble their own malware code from more expertly developed blocks of code that others had produced, or who used early development tools to do this for them.
• On a non-malware track, legitimate software developers work with blocks of code that others develop, and both in tapping into established code libraries and in coordinately developing larger programs where their own work has to fit in and work with the products of other developers’ efforts. Think team development of large object oriented software packages as a working example there. So this basic approach does not in and of itself necessarily mean lack of skills – it can also be pursued as a possible route to faster and more efficient development. For malware production this of course carries a price though. Among other things, reusing lines of programing code might mean that a presumably “new’ malware threat might already be known by reactive malware detecting security software in place, due to its containing specific code snippet sequences already in its malware definitions libraries. So when code developed is static, reuse of established code that has already gone out to the world as a means of productivity and product development improvement can be self-limiting.
• Then polymorphic code arrived on the scene and two things happened. The potential threat profile that would have to be identified and blocked by standard reactive gatekeeper software such as anti-virus programs began to grow hyper-exponentially, and reuse of code specifically designed to offer polymorphic code variability to a threat as it spreads might remain as difficult to generically identity by reactive means as if it were completely novel. This, I add would particularly apply if the polymorphic engine component of a malware package were itself developed in specific instance through a polymorphic code generator. And this brings me to the next step of this code development and its evolution.
• When malware producers went commercial and developed and sold their wares as profitable market offerings, pressures developed and increased to produce more, better, and faster. More and more sophisticated and I add expensive development tools began to be added to the malware designer’s and producer’s toolkits. And the rate of development of new malware threats with no previously identified code signatures to identify them skyrocketed. And this brings me to here and now.
If I were to succinctly if somewhat cartoonishly summarize the first two waves and introduce the third I would probably do so as follows:
Wave 1: The script kiddie approach, giving way to more and more sophisticated automated malware development tools with visual programming and related technologies.
Wave 2: Development and spread of polymorphic code and capacity of malware to adaptively change to stay effective when deployed, coupled by larger scale and business production level malware innovation, development, production and sale.
Wave 3: The application of web 3.0, or semantic web and artificial intelligence (AI) technologies to flexibly automate threat vectors and their production, distribution and management.
I wrote this three step progression strictly in terms of technology deployed. Technology enables, and progressively more enabling technology brings progressively wider ranges of participants into this activity. Newer and more flexible malware technologies and methods of developing and deploying it open doors to new players who bring in new motives and reasons. And the more automated and standardized malware production becomes as a marketable commodity, the less necessary it becomes that any buyer/deployer have hands-on technical skills of their own. They only need a business model and capacity to follow through on it that would call for malware as a part of their tool set, and a source of motivation and direction that would lead them to do so.
So some of the organizing understandings as to who is deploying malware and why that would go into developing a more proactive response system are at the very least getting more complicated. The primary sources of threat are not going to fit into a basic, simple, generic monetary profit motive model anymore. And simply adding in the variously skewed perspectives that different governments can display when preparing for their cyber-“defense”, will not necessarily complete the threat source assessment set as a simple addition to what has to be accounted for in combination with wave 2 profit motives.
If I were to summarize this operationally, I would state that the current and ongoing sweep of evolutionary change in malware production and in black hat hacker activity in general is to:
• Progressively increase the pace of change in what threat profiles have to be addressed, and
• Progressively increase the pace of change in which new types of vulnerabilities have to be identified and new exploit types addressed,
• While decreasing the visibility of the human sources of these events and their threat profiles and reducing their accountability,
• By making successful exploits more surreptitious and less overtly visible to infected and compromised systems and users.
I am going to continue this discussion in a next series installment where I will more fully discuss third wave hacking and malware. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 13: putting the puzzle together as a strategic and operational process 1
This is my thirteenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-12.)
I have touched on a fairly wide range of issues in this series, related to cyber-security and cyber-threat and from both a reactive and a proactive perspective. I have also been pursuing this line of discussion in terms of a wide range of participants, from the level of the individual computer user and the individual black hat hacker through to that of systems owners and attacker organizations, large scale networks and business ecosystems and that of national level governments as they variously define and pursue their national defenses. This is important; information security and its challenges play out at multiple levels and all of them interact and impact upon each other. So any effective response to security threats to computer and information systems has to be holistic and comprehensive, and be developed and implemented from a wide-angled-vision perspective.
• I wrote in the first half of this series about reactive and proactive cyber-security and how reactive-only is becoming increasingly irrelevant as a historically outdated defense paradigm.
• I wrote about proactive systems as a more effective if still emerging alternative.
• I then wrote about layered defensive systems and the need to incorporate the full range of tools and options to meet rapidly evolving challenges.
• And through all of that, I have been discussing the need to know the objectives and reasoning of any information security adversary, and whether that means understanding why and how individual black hat hackers seek to gain access to closed and proprietary computers and systems, or why and how nation states (e.g. China and its recent activities) would seek to do so. In both cases, the How of this is shaped by its corresponding Why.
Who are the largest players in the world as of this writing, as sources of information security threat and challenge? Any such list would be incomplete, and its entries would change with time, but a few likely participants come to mind.
• I would still include the loosely but still effectively organized social and business network of criminal hackers and their supportive peers who operate out of what were the old Soviet Union and Warsaw Pact countries, with much of their phishing and spear phishing and related activities directed towards the West going out through Romania (see Romania and North Korea – a brief tale of two generations.)
• Continuing on from my discussions of Part 11 and Part 12 of this series, China and the United States have become increasingly, and increasingly openly involved in cyber-security at a national level, and in developing defensive and offensive capabilities for the cyber-battlefield with its mix of civilian and governmental targets. And a host of other countries have become involved in this too, with Iran, Russia and the countries of the European Union and a wide range of others developing and even real-world testing cyber-warfare systems. I have written fairly extensively on stuxnet and its origins, as this cyber-warfare weapon was used against Iran and their budding nuclear technology program (see my 15 part series on that as posted to Ubiquitous computing and communications – everywhere all the time as postings 58 and loosely following.) Even North Korea has begun a focused and prioritized cyber-warfare program, springing technologically at least in significant part out of their efforts to build their own counterpart to China’s Golden Shield Project – to “safeguard” their citizens from outside news and opinion or from opening dialogs within their own country about their lives and circumstances.
• And as a third example I would explicitly note that the largest players in the black hat arena are not necessary the largest individual players. Consider spam in that, and how spam can be both a marketing approach for grey market businesses such as pornographers and bogus Viagra sellers, and a mechanism for infecting computers and networks with malware, and for gathering personal information from computer users. The vast majority of spam still seems to be sent out by what amounts to small business entrepreneurs. As their business model they sell spam distribution services as a marketing offering, and many also engage in identity theft activities and more particularly in the marketing of personally identifiable information that they collect through their efforts, in the types of marketplaces that I discussed in this series in Part 8. Collectively, spam entrepreneurs constitute a very major player still.
• Remember in this context and with that third example in mind, that it can be as easy and in most respects just as inexpensive to send out a spam message to millions as it is to send to just a few, so this business model is very readily scalable. There are specific individuals who have in effect built their own spamming and I add phishing empires. At least one of them, operating out of a trailer park outside of Sarasota Florida in the United States initially got into this business as a newer online variation on what amounts to the family business. His father and father’s father have both followed similar pursuits; his grandfather got his start in business as a young man selling underwater “Florida beachfront” property to unwary out of state buyers. At one point just a few years ago his business accounted for a surprisingly significant percentage of all spam emails sent out in the entire United States – until he was caught that is. Others quickly took his place as he went off-line.
But identifying major players and player categories in this is and looking for ways to more effectively and proactively respond to them can only be one part of taking a more holistic approach.
I am going to continue this discussion from a very different approach in my next series installment, where I will look into what can be seen as the emerging third wave of development and implementation in black hat hacking. And in a fundamental sense, this is going to be a direct continuation of a line of reasoning that I began with Part 1 with its discussion of:
• Early, first wave hackers who primarily sought to show their prowess and count coup by proving that they could gain access to computer systems, and
• Second wave black hat hackers who moved in with a strictly for-profit motive.
I am going to start my discussion of the soon to be three waves of black hat hacker identity, agenda and action with a focus on general methodology and technology approaches and will then move on to consider what players are actively developing and advancing this next wave – and its consequences for cyber-security. And one consequence of that is that I will undermine the significance of “big players” as discussed above, for moving forward, as technology enables even the smallest and most part-time to function as if a major organization and a major player. That is going to be a major factor moving forward. It will no longer be possible to organize and prioritize response on the basis of the apparent prominence of a black hat threat source. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 12: defensive and offensive systems and the large grey area in between
This is my twelfth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-11.)
I began a discussion of information and computer systems and network security as a matter of national security in Part 11, citing two countries in this context for their differing approaches: The People’s Republic of China and the United States of America. And I ended that posting by noting a very basic fact that should enter into any discussion of cyber-based national security:
• It can be difficult if not impossible to draw a clearly defining line between defense and offense in any cyber-conflict or in any real, organized attempt to prepare for its possibility.
• What one country sees as defensive on its part and justifiably so when couched in terms of their assumptions and concerns, both explicitly stated and simply assumed,
• Can be seen as offensive and even as a direct threat by another as it considers its defensive needs and through the prism of its assumptions and reasoning.
I cited China’s Unit 61398, an advanced persistent threat unit of their People’s Liberation Army (PLA) as a working example, and how they have been actively seeking ways and developing tools for compromising both:
• Private sector business computer systems and networks, and
• The Supervisory Control and Data Acquisition (SCADA) systems that coordinate and manage our critical national infrastructure systems such as our electrical power grid, our telecommunications systems, our air traffic control systems and our internet backbone here in the United States, and in other countries as well (e.g. in the European Union.)
• From the perspective of the United States and the US Cyber Command, and from the perspective of the US government, this constitutes a grave threat and it can only be considered an act of offense and aggression. I freely admit that I take that view of this action too, which for that unit of China’s military has been ongoing since 2006 at the very least.
• I would also argue that from the perspectives of China’s military and their Party leadership – their Politburo Standing Committee of the Communist Party of China – they see this as taking a largely if not entirely defensive position.
• And this completely different reading and understanding of actions and intent creates both friction and risk for all parties that might possibly become involved, which means essentially every nation given our increasingly global interconnectedness.
• I add that much if not most of the US response to China’s actions has been reactive with rooting out system compromising malware and breaking online connections and systems of remote oversight and control. If the United States and its private sector or governmentally controlled systems were to more proactively address this challenge they face, China would almost certainly see that as offense and as a new and escalating source of challenge and threat.
I stated at the end of Part 11 of this series that China faces what it sees as existential threat, and certainly to its current system of government and leadership. What China does in response to that can only be understood when considered from their perspective, and with an understanding of how and why they see themselves facing such fundamental threat. I would divide my thoughts on that into two separate but still deeply connected sets of issues that China sees itself as facing:
I begin addressing that by citing a set of postings on China that I initially developed and presented with their more internal information access and sharing control systems in mind: my series The China Conundrum and Its Implications for International Cyber-Security (see Ubiquitous Computing and Communications – everywhere all the time, postings 69 and loosely following for this 24 part series.) I wrote there primarily about their Golden Shield Project, also known at least in the West as the Great Firewall of China, and how and why they have pursued this approach. As I noted and discussed in that series, China faces a whole series of interconnected challenges that even just individually would be sufficient to bring the country into long-term crisis if not effectively, proactively addressed.
• This includes but is not limited to their rapidly developing population demographics time bomb arising from their one child policy, and how they are rapidly facing a situation in which huge numbers of older citizens will have to be supported in their old age by an increasingly small percentage of their population of working age. And with the added skew towards sons as enabled by prenatal screening, millions and even tens of millions of those working age adults will be men who will not be able to find wives, creating further exacerbating unrest and societal dislocation.
• This also includes environmental challenges and a growing and increasingly known division between haves and have-nots – with the have-nots having to live or die with pollution and corruption that are allowed for the benefit of the haves.
• China’s black market and grey market economies and its widespread corruption throughout its local and provincial governments have to be included here. And this is only a partial listing; I delve into the supporting and explanatory details of this and more in my China Conundrum series.
• There my focus as far as online communications and organizing were concerned involved a very organized effort to keep awareness of these and other problems local only and disconnected from any possible national-level understanding. The basic assumption there is that if everyone thinks this is just a matter of their village or local community facing challenges and that they are alone facing these societal problems, unrest cannot spread.
• But I added the roots at least to a discussion of the issues of this posting into that series too, when I wrote of China’s need to address these challenges by strengthening its economy and its marketplace position at all costs and by any means. So I argued the case, for example that China has adapted a policy of increasing individual wealth, so those who work can be more supportive of those who no longer do, and those who no longer work can have greater saved resources anyway.
• I more fully developed that part of the larger discussion in follow-up series such as China in Transition (see Macroeconomics and Business, postings 63 and loosely following.)
• If as a matter of overarching and controlling policy, a government sees economic strength primarily as a zero-sum game and it sees overwhelming need to capture and maintain as much competitive and economic strength as possible to avert disaster, its defensive is going to become very offense-oriented from anyone else’s perspective.
And the second basic line of reasoning and justification for China’s approach to its cyber and related security, stems from its increasing concerns over territorial and natural resource control. That is why China is so adamantly and aggressively challenging Japan over what those countries respectively call the Diaoyu and Senkaku islands in the East China Sea. The islands themselves are uninhabited and essentially uninhabitable at least for capacity to sustain anything like permanent settlements with their own indigenous food and potable water supplies. But whichever country owns and controls those islands also owns and controls the waters off of them, with nationally mandated and internationally recognized control of everything from fishing rights to under water mineral and petrochemical rights. Consider the potential of mining undersea manganese nodules and similarly sited deposits as a new source of mineral wealth and as a way to reduce dependence on foreign sourcing of critically essential mineral and metals supplies.
China’s information gathering incursions have included attacks on governmental computer systems and classified data and information resources at least as much as they have private sector corporate and national infrastructure systems. Knowledge is power here and knowing what possible adversaries in these and other disputes know, and what they think and in advance of any actions taken would bring real strategic value.
China, going back to the first of these two sets of causal reasons for its policy and action, has taken a tremendous interest in power grid SCADA systems in the United States and elsewhere. One concern is that they want to be able to pull the plug on our national electrical systems in the event of perceived acute threat or hostilities of some sort. But an at least equally likely explanation that might very well be under active consideration by China’s leadership for that, is the capture of highly sensitive new control systems technology.
• Current generation power grids effectively connect across regions to load balance for more effective sharing of electrical systems resources. A greater power need in one part of a regional grid can be met from other connected power plants that have what for them locally, is excess capacity at that time. But capacity to smoothly coordinate across networks is limited, and both for range included in any given regional grid, and for fineness of control. Rolling brownouts and blackouts are always a possible concern and become increasingly likely as grid interconnections are expanded over larger service areas and geographic regions.
• Next generation smart grids, actively under development in the West and at development costs that run into the many billions of dollars, are being designed and architected that would allow for and support true national grids, and grids that could much more nimbly and reliably distribute power over very long distances – and these systems are entirely dependent on development and implementation of new artificial intelligence-driven SCADA systems.
• As well as allowing for more efficient systems overall, with much lest waste, this would cut down on power plant pollution and both by reducing the need to produce excess power where it is not needed to load balance across more local systems, and by making it possible to take less efficient and more polluting power plants off-line.
The country that does this best gains real and significant overall economic and industrial advantage as well as addressing very real quality of life concerns for its citizens. China’s leadership would argue, at least candidly among themselves, that they actively seek to capture this information for defensive and even protective national security reasons and to safeguard their people from societal disruptions and unrest.
I am going to follow this with a next series installment in which I will at least begin a process of connecting together the pieces I have been assembling throughout this and related series as they connect to cyber security. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business. I have also written several series about China’s policies as they relate to this in Macroeconomics and Business.
Information systems security and the ongoing consequences of always being reactive – 11: governments as white and black hat hackers, and the threat and reality of cyber-warfare
This is my eleventh installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-10.)
The focus of interest of this posting is summarized at least in part in its title with the phrase “governments as black hat hackers, and the threat and reality of cyber-warfare.” In a fundamental sense, I have been writing about this topic since before I first started writing to this blog, and from fairly early on in this blog itself. I cite in that regard, a series that I ran in this blog starting in December 2010 titled: The China Conundrum and Its Implications for International Cyber-Security (see Ubiquitous Computing and Communications – everywhere all the time, postings 69 and scattered following for its 24 installments.) China, by no means holds a monopoly in seeing and pursuing cyberspace as a potential site of conflict, and even as a 21st century battlefield. China by no means hold a monopoly in seeing this new and emerging potential battle ground as a source of both defining weaknesses and strength, that could come to dominate the determining of overall outcomes for any conflict where it becomes involved.
I began this posting by citing China because that country and its military are currently very actively in the news, as of this writing, with accounts of how military backed and orchestrated cyber-attacks are targeting both:
• Business and industry computer based information systems, with a goal of capturing business intelligence, and
• Supervisory Control and Data Acquisition (SCADA) systems that manage and control key national infrastructure resources such as power grids, telecommunications systems and petroleum and natural gas pipelines.
The concern for the former of these points is industrial espionage on a perhaps vast scale, with redirection of stolen proprietary business information to Chinese industry, and perhaps particularly to the Chinese military’s own vast industrial systems. The concern coming out of realization of the second bullet point is that it looks like the Chinese military is seeking to develop resources in place, that would do nothing and remain hidden in targeted computer systems and networks unless activated – but that could, if successful, cripple and even shut down the backbone infrastructure of the United States and other countries, and if not long-term, then at least long enough to open undefended doors to other forms of attack.
This is all very ominous, but once again, China is not the only country to at least plan, and also to develop and test in that direction. I began by citing China here, and its overtly aggressive and confrontational approach here, but this is only incidentally a posting about China and its approach to cyber-defense (and cyber-aggression.)
• My goal here is to tackle an issue that is perhaps vitally central to this overall topic, but that is rarely if ever explicitly addressed: the difficulty if not impossibility in drawing a clear defining line between defense and offense in any cyber-conflict, or in any real organized attempt to prepare for its possibility.
I will return to the China story in this, but before I do I want to add one more player to this narrative: the United States.
• China has its Great Firewall, or Golden Shield Project as it is more formally known, managed and run by their Ministry of Public Security, that seeks to monitor and manage online information flow and access within China as a national security objective.
• The United States has a series of agencies and organizations (e.g. its Federal Bureau of Investigation(FBI) and more), many of which are now organized and run within the purview of the Department of Homeland Security that seek to identify and stop online criminal activity, and criminal activity in general in the US where organizing or other identifiable information related to it is distributed or stored online. These federal agencies in general hold sway where criminal activity crosses state lines, which is essentially always the case for cyber-crime.
• China has its People’s Liberation Army (PLA). And as just one component to its overall cyber-warfare program, the PLA is currently, as of this writing, operating a very active and outreaching program out of a building in the Pudong New Area of Shanghai that is being carried out by a group called the Comment Crew in the West; this is a unit of China’s Second Bureau of the PLA General Staff Department’s (GSD) Third Department and is more formally, internally known as their Unit 61398 – which evidence now shows to have been in operation at least as far back as 2006. This is the now internationally identified source of many if not most of the recent US (and other national) critical infrastructure probings and attacks that I noted in passing at the top of this posting. (The Third and Fourth Departments are both primarily tasked with cyber-warfare planning and execution and are linchpin to carrying out China’s and the PLA’s cyber-warfare policy.)
• The United States has, among other military commands in place for addressing cyber-warfare, its US Cyber Command, with key elements of that joint services unit distributed widely throughout the overall Department of Defense. And its mission is to prepare defensive and offensive capabilities that would help the US address any possible cyber-threat – ideally at least.
Loosely speaking, both countries have separate cyber-intelligence and response operations facing inwardly and with a more civilian focus, and outwardly and with a more military and national defense focus. But given the nature of cyberspace, with its absence of anything like national borders or boundaries, any “inwardly” facing, civilian-oriented program or organization that works in cyberspace is of necessity going to have to work globally too. And given the nature of cyberspace and the threat vulnerabilities that would have to be protected, any “outwardly” facing national cyber-warfare defense program is going to have to look and connect inwardly too, as there is no clear boundary or border that an enemy would have to cross in launching a cyber-attack within the country.
China’s Ministry of Public Security and their People’s Liberation Army each jealously guard their own turf, cyber-turf definitely included, from incursion by the other. Both are controlled in a byzantine manner by the Chinese Politburo, and more particularly by its Standing Committee.
In the United States, inwardly and outwardly facing organizations responsible for key portions of the overall cyber-defense system are legally separated too where, for example the Central Intelligence Agency (CIA) is legally restricted from conducting any of its operations within the United States proper or its territories and the FBI focuses on crime that directly impacts upon or arises within the United States or its territories. But in cyberspace and when operating online and tracking and interacting with others online it can be difficult or even impossible to know where everyone involved actually, physically is located and certainly in anything like real-time where that would matter.
So far I have noted some of the organization level players in this for the People’s Republic of China and for the United States, and how they are organized at the highest, most general levels as to their missions and areas of focus. China, I will add, has come to be widely seen as one of the largest by volume sources of cyber-attack and cyber-crime in the world today so this topic really does fit into this series. And with this background information in place I come back to my goals bullet point as repeated here, from above:
• My goal here is to tackle an issue that is perhaps vitally central to this overall topic, but that is rarely if ever explicitly addressed: the difficulty if not impossibility in drawing a clearly defining line between defense and offense in any cyber-conflict or in any real, organized attempt to prepare for its possibility.
I am going to look in at least some detail into what that means in my next series installment, and with US and Chinese governmental systems as touched upon here, and their activities, as working examples for explaining the why and how of this observable confusion. And in anticipation of that: on the China side of this story, I will at least begin a discussion of how and why the Beijing government sees its approach to cyberspace and online information as being defensive and even a defensive response to an emerging existential threat, and even as the US government and others see its decisions and actions as offense in nature and as indicators of systematic repression. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 10: publically sharing vulnerability information between businesses and communities
This is my tenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-9.)
I have, up to here in this series, been discussing reactive and proactive approaches to information and cyber-security, and the process of developing security in depth, with a layered security systems approach. As a part of that and in the context of proactive security approaches, I have also raised the issue of social networks as organizing and enabling systems for black hat hacking and malware as a for-profit industry, and how understanding and acting upon those networks as criminal enterprises could cut back on the volume of cyber-threats that have to be identified and addressed (see Part 8: moving towards proactive controls 6.)
• One of my primary goals for this posting is to discuss a need for a more organized business, government and white hat hacker social network, as effectively shared knowledge is essential for making possible any real response to cybercrime and its threat.
• Who would participate in this network? I would argue that participation needs to be open and widespread for it to effectively work, but that certain key players would drive this network, exactly as occurs for black hat hacker and cyber-criminal networks that organize, monetize and develop profit from their activity.
So this posting is, in fact, about developing a more robust “good guy” response to the malware and related social network as it impacts upon individuals everywhere as they go online, and on legitimate businesses and organizations as they seek to connect with marketplaces and consumer communities to conduct business.
I discussed the black hat and cyber-criminal social network as their industry enabler in terms of a basic social networking taxonomy that I have found generally useful (see Social Network Taxonomy and Social Networking Strategy.) This offers a networking systems model based upon social networking strategies that different types of participants employ when deciding who to network with and how fully to do so.
• For black hat social networks, with their business facilitation functions and their for-profit-driven motivations for connecting,
• Major commercial participants such as malware producers and distributors, or aggregators and sellers of individual personal information useful for identity theft, would be expected to be among the most widely connected and actively involved social network participants.
• But any complete listing of most-active social networking participants in this would also include more actively involved buyers and consumers of this industry’s products and services, and facilitators too: individuals and groups who bring people together and in some cases collect what amounts to finders’ fees from bringing buyer and seller together.
Who should be the most active and connected members of a white hat social networking-facilitated counterpart to this? A partial listing here might include, and I add would actively require, committed participation from:
• Private sector organizational participants such as The Open Web Application Security Project (OWASP) and the Poneman Institute that serve as best practices clearing houses and training resources,
• Governmental and non-governmental organization (NGO) participation, and for governmental organizations in particular this would mean sharing highly organized, vetted information in unclassified format and with much prompter and more timely determination as to what can be so released than is currently in place. The more delayed a release of essential information as to new and emerging cyber-threats and related issues, the less beneficial it can be – delayed information is essentially always going to be information that arrives too late to make a positive difference for this.
• For-profit businesses such as security software developers and providers. Once again, timely sharing of information by them is vital. I am not writing here about any antivirus software manufacturer, for example, sharing proprietary algorithms developed to respond to new and emerging computer virus threats. I am writing of the need for all organizations involved to share information on new threats and threat variations as they are found. And I am noting here the very real need for all involved in this network to quickly and fully share information when new threat sources are identified so they can be collectively responded to.
• This would mean reactively responding to what black hat networkers do and to their active ongoing flow of vulnerability exploits attempted. But it would also mean proactively identifying new participants in their business-driving social networks and online commerce systems, who have risen to visibility from their levels and types of activity there.
• And an effective white hat network would also more actively include a self-selecting group of independent cyber-security consultants and others who actively connect in and share insight, and who help facilitate networkers to find each other, and both for reporting new vulnerabilities and threats to them and for sharing best practices for preventing, or at least limiting harm.
As a basic principle, viewing this system from a broader perspective:
• This white hat social network has to be as active, agile and quick as the black hat network that is already in place, and as active and agile as the online cyber-criminal industry that that system enables, is if it is to succeed in significantly impacting on information and cyber-security threats and cut back on the levels of cyber-crime faced.
• And I write this fully aware of the role that natural selection would play in this, with the culling out of the slower and less effective of the black hat and cyber-criminal community while leaving the smarter, more clever and more agile to continue on.
• So I acknowledge that what I propose here would simply ratchet up the pressure driving what is already an evolutionary arms race. But at least the slower and less effective would be reduced in number so the overall level of threat volume faced would drop, leaving more resources available for identifying and focusing on the more serious threats.
I am going to turn in my next series installment to consider the growing role of governments as black hat hackers, and the threat and reality of cyber-warfare. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 9: developing a more proactive layered defense approach
This is my ninth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-8.)
I began this series with a brief and selective discussion of our current primarily reactive approaches to information and cyber-security, and then moved from there to at least outline a possible avenue for moving towards more proactive systems that would more fully address current and emerging risk management needs. My goal for this posting is to in effect tie all of this together, with a more explicit discussion of layered and protectively overlapping and redundant security mechanisms and systems. And I at least begin any such discussion from the fundamentals and through construction of a basic conceptual framework, which I would at least generically outline as follows:
• Vulnerabilities and exploitation of them are always going to be a possibility, so it has to be assumed that with time, security breaches will occur and for any information systems or cyber-security mechanism in place.
• So the goal of any effective systems-wide approach to security should be to block any successful intrusion through one defensive mechanism with the protective barrier of another, that does not share any specific same-vulnerabilities with the now failed mechanisms that it is serving as back-up to.
• And when a layer breach does occur, a red flag warning should go out that this has happened and any vulnerable networked computers or subsystems should be firewalled off to limit possible systems-wide exposure.
• This would, of course be followed by a through damage assessment audit and review, and a best practices assessment and review for preventing a repeat occurrence, there or elsewhere in the overall system of at least this type of breach and from this type of exploit,
• And hopefully at least with some generalization of the new protective coverage developed in response to this incident, beyond simply addressing this one now narrowly-identified vulnerability.
That, of course only addresses one part of this overall problem. The outermost defensive layers would all be proactive, and the outermost of them would go outside of the computers and networks under protection, in identifying and tracking the sources of problems before they explicitly, directly strike. That is where social media-oriented threat identification and tracking, as discussed in this series, enters here. The innermost defensive layers that would come into play when unexpected and novel exploitations breach previously unidentified vulnerabilities would of necessity be reactive:
• In limiting range of exposure and impact at the time of a security breach,
• In identifying and developing blocking responses to the threat sources in play there,
• And in understanding the nature and scope of the breach and of the attack that caused it so as to limit and remediate consequential damage.
So for example, if a breach were to expose personally identifiable information such as social security numbers or credit card information, it is vitally important that anyone so affected be identified, notified and protected from consequences of illicit use of their information for identity theft or credit card theft.
• Realistically, the goal here can never be to make security breaches and loss of information and computer systems control impossible. It has to be in making this much more difficult and much more quickly identifiable when it does happen, so the extent of exposure and vulnerability can be limited.
• In this, the goal should be to filter out all but the most disruptively new and innovative of attacks with proactive security systems, and with reactive approaches only actively engaged where necessary and as a last resort – never simply as the only resort where they quickly become overwhelmed.
I am going to end this posting with a final note in which I return to that most ubiquitous and vulnerable face to any information or computer-based information management and storage system: the human user and their actual day to day practices. I have already written in this series about how people take short-cuts and bypass security – and even when they intellectually know that this creates real risks. Many and in fact most people do this right but all it takes is one who does not, and a black hat hacker has a potential route in, ready to be exploited.
I am more specifically going to end this, by considering one of the commonest and most significant generally encountered sources of loss of information control coming from that direction: where people with permissions and legitimate access to sensitive information lose control over it in their possession through carelessness – such as loss of that laptop computer left in plain sight on the front seat of their car when they park it to go into a store for a few minutes. No security system can eliminate carelessness, and even when training is offered to all employees who have secure information access, and with refresher training to keep the message up-front for them. But it should always be possible to preemptively encrypt the hard drive of every work computer, desk top or laptop for these employees, so even if that computer is stolen, its contents will have that layer of protection. UBS ports on desktops can be blocked at the driver software level from accepting flash drives to limit those employees taking this information home with them to work on, on their own computers. Protective layers can be added to cover for ill-considered human decision making and actions. And to cite one of many possible operational scenarios, if someone tries to access information on a laptop without signing in properly, that computer can be set up to seek out any nearby available wired or wireless router to phone home with a breach warning and its GPS location and IP address. And if this call-home app is installed as a “white hat worm”, that tracking capability can be spread to any other computers that this information is installed onto too, revealing their locations too. There are almost always creative ways to reach out to the attacker and bring a security response directly to them and what I suggest here is only one simple variation of a more generally applicable approach.
I am going to follow this posting with what as of now, at least, I see as the last entry of this series. I have been posting so far about reactive and proactive approaches to information and cyber-security, and about specific security mechanisms and processes and combining them into layered defenses. Making any of that work depends on knowing when and where security breaches actually take place on similar computer and information systems, and on what vulnerabilities and attack approaches have been identified. But businesses and individuals alike have been loath to share any information on when and how they have lost control of their computer systems and information resources, so next victims of a same vulnerability exploitation can find themselves viewing it as if it were new and novel. I am going to write in my next series installment about open sharing of this information and its pros and cons, and about building effective vulnerability and protective solution information into shared system owner resource systems. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 8: moving towards proactive controls 6
This is my eighth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-7.)
I primarily focused in the first six installments to this series on computers and networked computer systems that have to be protected from outside intrusion. I then turned in Part 7 towards the people who produce and distribute malware, pursue behavioral engineering attacks and behave as black hat hackers, arguing a case that any proactive information and cyber-security system has to go to the source of the problem as well as addressing its more symptomatic side and the specific security exploits launched. And at the end of Part 7 I added that I will look into that from the perspective of a social networking taxonomy and in terms of social networking connection patterns and strategies. I am going to do that as the primary topic area for this posting, but before I do so I would set the stage for it by putting a social networking approach to information security into perspective.
• Modern black hat hacking and malware production, distribution and use are all driven very strongly by a profit motive,
• And are organized around marketplaces in which personal information useful for identity theft, access to botnet resources and a wide range of other products and services are bought and sold.
• These marketplaces are essentially all run online, and both as a route to global connectivity, and as a means of firewalling participants from direct contact with other participants for their individual and collective protection.
• Many if not most of these participants would be expected to connect into these online markets through anonymizer servers and other surreptitious routes to hide their true identities and locations. But ultimately, every participant in these systems does have to connect in and they have to do so at some point from their own computers and through standard network connections.
And this is where these details become really interesting from a security perspective.
• In order for the web sites, social networks and other online venues involved in this industry to work, people who would do business in it have to find them. If the dynamics of this trade were to change in ways that meant that online connectivity and business transaction resources, could only very transiently be up before being switched or compromised, traffic flow into them and business conducted through them would become a lot more limited and the overall scale of the cyber-crime problem would be reduced. Then even more strictly reactive security systems would do better – this would positively impact on cyber-security at all levels.
• One route to achieving that would be for white hat hackers and information and cyber-security professionals to more effectively tap into the social networks in place, where information on how and where to connect into these business sites is shared.
• This would help both for identifying where black hat products and services are being bought and sold, and in what volumes, and precisely what is being offered on the market. And this would also open up new avenues for identifying who is involved in this trade and in what ways.
And this is where an understanding of the structure and dynamics of social networks per se offers real and valuable insight into the cyber-security problem. And with that I turn to one of my more fundamental postings in this blog, relevant to social networking and business: Social Network Taxonomy and Social Networking Strategy.
• Some of the most important participants in the social networking and business oriented connecting in this industry all but certainly, individually and personally maintain a very low profile, and only connect very selectively and with a few individuals.
• But the bulk of the work of organizing and managing these web sites and other venues involved in this, and getting word out to prospective customers and business partners as to industry activity, would be carried out by highly connected individuals.
• Spotting those individuals and identifying their online footprints and activity, is key to bringing a proactive approach to cyber-security to the black hat hacker community itself, that comprises this industry.
I write in my social networking taxonomy paper of:
• Hub networkers – people who are well known and connected at the hub of a specific community with its demographics and its ongoing voice and activities.
• Boundary networkers or demographic connectors – people who may or may not be hub networkers but who are actively involved in two or more distinct communities and who can help people connect across the boundaries to join new communities.
• Boundaryless networkers (sometimes called promiscuous networkers) – people who network far and wide, and without regard to community boundaries. These are the people who can seemingly always help you find and connect with someone who has unusual or unique skills, knowledge, experience or perspective and even on the most obscure issues and in the most arcane areas.
Think of the cyber-crime industry as being divided into specialty communities that work together as what amounts to a small business ecosystem, with community groups that produce and test out, and sell computer viruses, or worms or rootkits, groups that specialize in designing and carrying out phishing and spear phishing attacks, botnet herders and others who function in that arena and more – and with overlap and interaction where for example one person or group might produce the software that would allow a botnet specialist to capture control of personal computers, and another might buy that and use it to actually assemble and manage botnets. And one group might develop and own a centrally controllable botnet or suite of them and rent out or sell access to these resources to customers much as businesses rent cars or hotel rooms. Or one individual or group might run a phishing campaign to capture personally identifiable information from computer users, and then sell this information as bundled packages at so much per identity on what amounts to an open market.
The goal of identifying and tracking, and mapping out the social networks that organize and enable this industry can best be reached by identifying and tracking that small percentage of its overall socially networked community that in effect drive the network and hold it together as its hub, boundary and boundaryless networkers. And I add that any less connected but still central figures in this social network are in most cases going to be connected actively to just a few individuals – but virtually all of them will be high-value connectors.
I am going to step back in my next series installment to look at cyber-security from a broader perspective, and as a multilayered approach, in which all of the elements and systems discussed so far would play active roles. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.
Information systems security and the ongoing consequences of always being reactive – 7: moving towards proactive controls 5
This is my seventh installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, posts 189 and 190 for Parts 5 and 6.)
Up to here in this series I have primarily focused on computers and networked computer systems that would be protected from outside intrusion. My goal for this installment is to redirect my focus outward towards the people who produce and distribute malware, pursue behavioral engineering attacks and behave as black hat hackers. In a sense I began this when I first started writing to this series, in Part 1. I wrote there about how early malicious hackers were primarily motivated by a competitive drive to show their computer knowhow and prowess to their peers, and how they collectively formed a technology aware and involved subculture. Monetary gain was not considered a primary goal – just gaining access and finding paths in through the security systems in place.
Then, as also noted in Part 1, that all changed as criminal elements driven by profit motive began to move in, and as they came to dominate the black hat hacker community. As online commerce and other sources and streams of wealth began moving online, so did people who would surreptitiously tap into that and steal value from it. Information available online was becoming increasingly valuable, and through approaches such as identity theft and for business intelligence of all sorts. And access and control of computer systems was becoming increasingly valuable in and of itself too. Botnets come immediately to mind there but they represent only a part of this bonanza of potentially available value. And to round out the relevant points that I noted in Part 1 that hold specific bearing here, this new profit motivated black hat hacker community, like its earlier technology prowess-driven hackers, formed a complex social system with members holding differing levels of position in a social hierarchy, and an economic hierarchy too. Black hat hackers formed a loosely defined and fluid, but very real community, and both for purposes of business and profit, and for establishing personal reputation and bragging rights.
• And an online marketplace formed around this phenomenon,
• With commoditized access to proprietary and confidential information, and access and control of computers and network resources the primary products marketed and sold.
This might mean bootleg software, or warez as it is sometimes called or it might mean individual credit card information or even full packages of personal information that would be used for more comprehensive identity thefts. Or this might mean any of a broad and expanding range of business intelligence resources that can be used to turn a profit, either directly or through extortion and threat of disclosure and use. And of course, along with this software and data side to this marketplace there is also a hardware market with access to and use of botnets and related resources as marketable offerings too. And sometimes these resources are sold at fixed, if competitive rates and sometimes they are sold at auction and for whatever the market will bear, then and there and for those participating in the mostly online bidding.
• A big part of proactively addressing malware and black hat hacking in general, as a risk management initiative has to involve directly addressing the vulnerabilities that are being exploited, and with a goal of identifying the types and areas of vulnerability that will be exploited next.
• But just as big a part of actively, proactively addressing this problem has to come from looking outside of the systems at risk themselves, and towards those who generate and spread that risk.
• And that is an aspect of this overall problem where new approaches are needed, as much as anywhere else in breaking out of the reactive cycle and always playing security and risk remediation catch-up as a losing proposition.
I find myself thinking back several years as I write this, to early conversations about how the New York City office of the FBI always had one or two of its agents stationed in Romania. When the USSR broke up, a number of its KGB and related employees who were tasked with information systems infiltration and compromise, joined the rush towards free market enterprise by turning to the emerging opportunities of cyber-crime. And much of this activity flowed to, or at least through Romania and the remnants of the old Romanian KGB (see Romania and North Korea – a brief tale of two generations for a part of that story.)
FBI agents in the United States, going through US courts and court processes faced longer delays in obtaining warrants allowing them to legally look at and into apparent online criminal networks and activity than their counterparts in a now post-Communist Romania. So when online criminal activity was being directed towards the United States and arriving there by way of Romania – in general coming from those new post-Communist online criminals, they could move faster if in Europe and dealing with courts and laws there. And this was seen as a real breakthrough and in many ways it was. But setting aside the very real value of developing stronger international agreements and working relationships between law enforcement agencies, for confronting cyber-crime as a global phenomenon, this was still a strictly reactive response even if a faster one. This was still just another variation on attempting to improve security by doing away with the built-in and accepted delays of a once a month Patch Tuesday release date system, for sending out software patches and updates for risk vulnerabilities that had already been found and in many cases already been exploited.
• Any more proactive approach that would be directed towards identifying and acting in regard to the people and networks that cause cyber-crime is going to have to come from developing a fuller understand the cyber-criminal social networking and commerce systems in place and their social and functional dynamics, and the structures and connections of these social networks.
• There, black hat hacking and proactively addressing its challenge can be seen as a problem in characterizing, modeling, tracking and predictively responding to business social networks, and knowable patterns of connection and interaction in them.
I am going to address at least a portion of that challenge in my next series installment where I will, as a foretaste start from a basic taxonomic model as to how social networks organize and function (see Social Network Taxonomy and Social Networking Strategy.) Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.