- BlogInfoSec.com - https://www.bloginfosec.com -

Protecting the Critical Infrastructure: Beware of Crimeware

I first became involved with U.S. critical infrastructure protection in the late 1990s when I joined others in the Banking and Finance Sector to form the FS-ISAC (Financial Services Information Sharing and Analysis Center) [1]. This is how it happened.

In the 1998 timeframe, John Lauria, a colleague at Pershing, who was very active in the Securities Industry Association (SIA), now SIFMA [2], learned that the SIA was setting up an Information Security Committee. He put my name forward as a candidate for membership and so my professional service to the industry and the country began.

Steve Katz, CISO at Citibank, attended one of the early SIA meetings and suggested that a delegation from the securities industry attend the next meeting of the Banking and Finance Committee Coordinating Council, for which he was the sector coordinator. And so, in the spring of 1999, our delegation made its way to Washington, D.C. There we treated to inspiring presentations by Treasury Secretary Robert Rubin [3], as well as by Richard Clarke [4] of the National Security Council [5]. Both advocated public-private collaboration. It was explained that we had to comply with the 1998 Presidential Decision Directive [6] (PDD) 63 calling for the securing the Nation’s critical infrastructure. Among its recommendations, PDD-63 advocated the forming of ISACs. I joined the Information Sharing Working Group, chaired by Stash Jarocki of DTCC [7], which established the FS-ISAC, the first such entity of its kind and a model for future ISACs both at home and abroad. Treasury Secretary, Lawrence Summers officially launched the FS-ISAC in October 1999 in advance of Y2K.

The FS-ISAC has thrived and institutional membership has grown significantly. It remains the primary provider of industry alerts concerning security threats, exploits, vulnerabilities and incidents.

While this was certainly a major positive step at the time, the threat landscape has clearly changed radically since the turn of the century. The preponderance of “bad guys” has moved from recreational hackers wanting to show off to their peers, to organized criminals looking for financial gain and to terrorists intent on destroying our way of life. These evildoers are evolving their cyber weapons faster and more effectively that we appear to be strengthening our defenses.

In a new book Crimeware: Understanding New Attacks and Defenses [8], Markus Jakobsson and Zulkifar Ramzan lay out in disturbing detail the threats that our Nation and economy are facing. The book chronicles and validates what we have read in the press, namely, that the attackers have evolved into profit-seeking fraudsters and destructive terrorists. Certainly the hackers’ tools have been refined to enable fraud and loss of confidence on a massive scale.

Jakobsson and Ramzan invited leaders in their fields to expound upon what they know best. So, for example, we are treated to “a taxonomy of coding errors” by application-security pioneer Dr. Gary McGraw of Cigital. Other topics include crimeware as it relates to firmware, small devices, peer-to-peer networks, browsers, and so on.

But unquestionably the most disturbing chapter in the book is the last one on “The Future of Crimeware.” In it the coeditors look to what might be in store for us. Variously called “terrorware,” “vandalware,” and “ransomware,” these crimeware-type exploits threaten the very foundation of our economic wellbeing and political system. This is really serious stuff. Admittedly Secretary Chertoff [9]indicated earlier this year that his Department of Homeland Security [10] is planning to make major investments in cyber security. However, the bad guys are not waiting until we have our ducks in order. We needed effective defenses yesterday. Perhaps this book will raise consciousness of the imminent dangers and make the call to action will more urgent and vociferous.

In my article “Cybersecurity and the Critical Infrastructure” in the May-June 2006 issue of the ISACA Information Systems Control Journal [11] (subscription needed), I stress the importance of the private sector’s taking ownership of its share of the problem. By far the largest part of the critical infrastructure is in private hands. Therefore we cannot rely on government alone to protect our interests and our livelihoods.

The bad guys appear to be pulling ahead in the cyber arms race. Crimeware is evolving rapidly. So must our countermeasures. Jakobsson and Ramzan demonstrate how vulnerable we really are and what countermeasures we might invoke. It is time for us to take these warnings very seriously and do what it takes to secure our futures.