 |
Ever wondered what happens to your
data when it ends up in one of these? |
The next speaker in today's MAPPING Assembly was responsibility for fire-fighting, when security emergencies occur and need a swift, effective response. Coming from a small country that did not actually do anything bad on the internet but presumably outsourced its data crises and security leaks to larger, more technically ambitious countries, the speaker listed some of the things that can upset the serenity of the internet, such as
sinkholing,
keylogging and
malware infections [at this point this blogger wonders whether someone out there has been attacking Google.it, which appears to be on a go-slow this morning and has shown a marked reluctance to find things ...]. The speaker then reviewed the effect on his jurisdiction of the recent
Heartbleed virus. Experience of this attack demonstrated that ISPs have an important role to play in assisting their users to preserve security. Indeed, any halfway competent ISP will know who is using its service, who is sending out bulk emails and spreading spam etc. Any software put out for consumer use should already be configured for security purposes, he added: it should not be necessary for consumers to have to do the job themselves -- though there is a discussion as to whether security settings should be a default setting or merely an option. If unsafe software were, for example, infected meat, national governments would be swift to prevent its importation, so why should software be treated differently? The comparison is not as strange as it seems: much medical equipment, for example MRI scanners, is software-driven. If it is insecure or cannot be operated properly, it can be dangerous. At any rate, it's axiomatic that all software that is supplied to Europe for use in Europe must be subject to European legal standards, notwithstanding that it may be compliant with its own home-grown legal standards.
 |
Not all intruders
are so conspicuous ... |
Defence of networks was next discussed. This is crucial since networks are being attacked on a daily basis. Attacks must first be detected before they can be defended. The existence of a new member of the network must be identified, as well as the "mother" address as a rendezvous protocol with which the attacker or intruder communicates. Attackers try to copy the normal communication patterns of legitimate users, and the same websites, in order to make themselves look less conspicuous. Attackers will also be active when other network users are, rather than all by themselves in the middle of the night. Some will even communicate via means such as Twitter. Encryption is helpful in the face of intrusive attacks, but more is needed: any diligent company should keep looking for signs that someone else has penetrated its network -- and this is best done by looking at messages sent out from it, particularly if they match the behaviour of known malware. Netflow, which tells you which routers are talking to which other routers, is also a useful source of information here.
Finding evidence of new attacks is difficult, the speaker concluded, because you may be looking for something that hasn't yet happened and it can be tricky to discern relevant threat-related data from the noise that a network might in any event be generating.
In discussion, participants mentioned the exponential growth of reported computer fraud, which has taken place at a time when calls for greater information-sharing are still being made. The main issue here is not just computer security but perception management -- politician awareness is low and there are no votes in cyber-crime, of which consumers are insufficiently aware. Meanwhile, the potential profitability of
data exfiltration and the low risk of detection make it an attractive proposition. Against this, insurance against cyber attacks is being increasingly tied to satisfying acceptable security standards, and business are running ahead of governments in protecting their data since their money depends upon it. Raising awareness among SMEs and start-ups is the wrong place to start: what they want is to be able to buy safe off-the-peg software that they can trust, rather than having to invest in developing their own protection.
A further speaker, representing the police, urged the audience to trust the police -- which, in his jurisdiction, was guided in all operative matters by the provisions of the European Convention on Human Rights and data protection legislation. Some police action involves surveillance, but this requires (i) authorisation and (ii) justification before the court when evidence obtained by means of it is placed before a court. Enforcement is difficult, he said, since courts struggle to understand the technical issues involved: the courts are struggling to deal with even matters such as online pornography. In addition, most internet-related crime spans jurisdictions and is therefore expensive and impractical to chase.
Another speaker, who had worked for an international military alliance, spoke of cyber-security in various contexts, conceding that a big weakness of even the best policies and security systems was the fact that people are people and, even in a top security environment, will display human characteristics such as curiosity (eg plugging in a USB stick, contrary to security instructions, since they wonder what's on it).
At this point, this blogger absented himself so that he could revise his presentation, for delivery immediately after lunch.
