Business Report

A Closer Look at Cyber Survival

Industry guide: resources and upcoming events.

OUTSIDE READING | CALENDAR

OUTSIDE READING

“Avoiding the Top Ten Software Security Design Flaws”
By Iván Arce et al.
The IEEE Center for Secure Design, August 2014

Part of the IEEE’s Cybersecurity Initiative, this handbook features some of the leaders in academia and industry identifying the most common areas of vulnerability for software in an effort to promote stronger, more resilient systems.

The authors point out that a great deal of effort in information security is devoted to finding implementation bugs, rather than recognizing and correcting fundamental flaws in design. The 10 sections address topics such as user authentication, the separation between code and data, comprehensive data validation, and the proper use of cryptography, providing tips and describing best practices.

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It
By Marc Goodman
Doubleday, February 2015

In his new book, Marc Goodman, an investigator and security advisor who has worked with Interpol, the United Nations, NATO, and the LAPD, details how throughout history organized criminal and terrorist enterprises have consistently been the earliest adopters of new technologies, leaving police, politicians, and the rest of us always a few steps behind. In today’s interconnected world, it has never been easier for tech-savvy criminals to attack vulnerable organizations and individuals, often without needing to move from behind their computer screens halfway around the world from their victims. And just as law enforcement begins to infiltrate hacker networks and online terrors cells, the author warns, these individuals are already learning to exploit next-generation technologies like robotics, virtual reality, 3-D printing, and synthetic biology.

Executive Order Promoting Private Sector Cybersecurity Information Sharing
By Barack Obama
February 2015

In the wake of the cyberattack against Sony Pictures that crippled the studio in November 2014, President Obama issued an executive order calling for greater coöperation in sharing information about cybersecurity risks, both within the private sector and between industry and government. At the first White House summit on Cybersecurity and Consumer Protection, held at Stanford University in February to coincide with the issuing of the order, Obama said, “There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.”

“A ‘Building Code’ for Internet of Things Security, Privacy”
By Greg Shannon
InformationWeek’s DarkReading.com, March 2015

This post from the chief scientist for the CERT(r) Division at Carnegie Mellon University’s Software Engineering Institute argues for the development of new standards to make wearable and implanted medical devices as secure as possible from interference and snooping. Shannon argues that because these devices are often small and low on power, with limited processing capabilities, they present some unique challenges in preventing cyberattacks. Another problem involves devices that, with FDA approval, can continue to be used regardless of security vulnerabilities.

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
By Bruce Schneier
W.W. Norton, March 2015

Bruce Schneier surveys the terrain in the post-Snowden world in his provocative new book. After giving numerous examples of just how much personal information businesses and governments can collect about us from our mobile phones and our social-network posts, and the uses and misuses to which that data can be put, he offers a road map to reform. While most readers will accept that lines have to be drawn somewhere, Schneier’s proposal that companies with access to vast databases of personal information should face heavy government regulation may be a harder sell.

Cyber-Espionage Nightmare
By David Talbot
MIT Technology Review, July/August 2015

MIT Technology Review’s senior writer gives the story behind last spring’s federal indictment of five Chinese military hackers accused of economic espionage against six U.S. companies, including Westinghouse, U.S. Steel, and Alcoa. It was the first such case brought against the perpetrators of state-sponsored cyber-espionage, and the article explores how it has affected relations between the two countries and brought into the open the sort of computer security vulnerabilities that private companies rarely acknowledge in public.

“How to Implement Security after a Cyber Security Meltdown”
By Christina Kubecka
Black Hat USA, August 2015

In one of the most anticipated talks at last year’s Black Hat security conference, information security consultant Christina Kubecka offered an inside perspective on how one company dealt with one of the largest cyberattacks in history. During Ramadan 2012, an unknown group of hackers calling themselves the “Sword of Justice” released a virus into the computer networks of Saudi Aramco, the world’s largest oil company, wiping out the data on over 30,000 workstations. The swiftness and vast scale of the attack forced the state-run company to go completely offline to contain the threat and rebuild most of its IT infrastructure from the ground up.

Securing Today’s Data Against Tomorrow’s Quantum Computers
By Tom Simonite
TechnologyReview.com, August 3, 2015

Ever since 1994, when Peter Shor developed a quantum algorithm that could break the form of encryption most commonly used to protect data online, security experts have known that new protocols would be needed once scalable quantum computers became a reality. For a long time this has been seen as a distant prospect, but this article from MIT Technology Review’s San Francisco bureau chief shows how Microsoft is getting a head start. A research project there succeeded in upgrading the encryption protocol that secures the Web so that it’s able to resist quantum attacks.

“A Riddle Wrapped in an Enigma”
By Neal Koblitz and Alfred J. Menezes
International Association for Cryptologic Research, October 2015

In August 2015, the National Security Agency published an update online of its plans for moving to quantum-resistant algorithms. While the mere fact that the primary U.S. spy agency saw the arrival of practical quantum computing as imminent made headlines, the NSA also tipped its hand that a type of quantum-resistant algorithm it had once championed, known as elliptic curve cryptography, “is not the long-term solution many once hoped it would be.” This paper from two well-respected academic cryptographers speculates about what this about-face means and whether the NSA knows something about these widely used algorithms that the cryptography community doesn’t.

CALENDAR

SANS Cyber Threat Intelligence Summit
February 3–10, 2016
Alexandria, Virginia
www.sans.org/event/cyber-threat-intelligence-summit-2016

RSA Conference
February 29–March 4, 2016
San Francisco
www.rsaconference.com/events/us16

Black Hat Asia
March 29–April 1, 2016
Singapore
www.blackhat.com/asia-16/

IAPP Global Privacy Summit
April 3–6, 2016
Washington, D.C.
https://iapp.org/conference/global-privacy-summit-2016

InfoSec World
April 4–6, 2016
Lake Buena Vista, Florida
http://infosecworld.misti.com/

IEEE Symposium on Security and Privacy
May 23–25, 2016
San Jose, California
www.ieee-security.org/TC/SP2016/

Infosecurity Europe
June 7–9, 2016
London
www.infosecurityeurope.com

Black Hat USA
July 30–August 4, 2016
Las Vegas
www.blackhat.com

DEF CON
August 4–7, 2016
Las Vegas
www.defcon.org

USENIX Security Symposium
August 10–12, 2016
Austin, Texas
www.usenix.org/conference/­usenixsecurity16