Archive for February 2011

Study Highlights IT Security Skills Gap – and significant industry growth

Organizations are rapidly adopting new technologies, but many information security professionals may lack the requisite security skills to safely implement them, according to a report released last week at the RSA Conference.

According to Frost & Sullivan’s 2011 (ISC)2 Global Information Security Workforce Study, many IT security professionals are not “ready” for social media-related threats. Respondents reported inconsistent policies and protection surrounding employees’ use of such sites; 30 percent of respondents said they lacked any controls at all.

In addition, although 70 percent of respondents said they had policies or technical controls in place to secure mobile devices, these devices were ranked as the second greatest threat to organizations, after application vulnerabilities.

The largest skills gap may be illustrated by cloud computing. More than 50 percent of respondents reported having private clouds in place, and more than 40 percent reported using software-as-a-service. But more than 70 percent of approximately 10,000 global professionals polled said they needed more skills to adequately secure such technology.

“From a technology perspective we are very challenged,” said Rob Ayoub, a Frost & Sullivan global program director. “There are lots of things happening in organizations making our lives difficult.”

Separately, the report found that the information security profession appears poised for growth. Currently, there are 2.3 million professionals working in information security, according to the report. But that should grow to 4.2 million by 2015.

From Security Management:

Oil and gas firms hit by hackers

Hackers have run rampant through the networks of at least five oil and gas firms for years, reveals a report compiled by security firm McAfee which details the methods and techniques the hackers used to gain access.

Via a combination of con tricks, computer vulnerabilities and weak security controls, the attackers gained access and stole secrets, it says.

The hacker group behind the attack targeted documents detailing oil and gas exploration and bidding contracts.

Greg Day, director of security strategy at McAfee, said that the attacks used to break into all the networks were built around code and tools widely available on the net’s underground.

As such, he said, they were not very sophisticated but that did not dent their effectiveness.

In its report detailing what it dubbed the Night Dragon attacks, McAfee said the series of co-ordinated attempts to penetrate at least a dozen multinational oil, gas and energy companies began in November 2009. Five firms had confirmed the attacks, said McAfee.

In a long-running campaign, the attacks continued and the hackers methodically worked to penetrate the computer networks of these firms.

The first stage of the attack was to compromise the external server running a company’s website. Hacker tools were then loaded on the compromised machine and used to lever open access to internal networks. Then, cracking tools were used to gather usernames and passwords and get deeper access.

Once embedded, the hackers disabled internal network settings so they could get remote access to machines on the corporate networks. Via this route, sensitive documents, proprietary production data and other files were found and pilfered.

McAfee said the information stolen was “tremendously sensitive and would be worth a huge amount of money to competitors”.

The concerted attacks on oil firms resemble other specific attacks such as Stuxnet which targeted Iran Mr Day said that although corporates were under attack all the time, the Night Dragon attack was no run of the mill incident.

“What makes this different is the very specific ongoing targeting of specific organisations with a very distinct purpose to what they were trying to achieve,” he said.

In that sense, he added, the attacks seemed to have a motive in common with that behind the Operation Aurora attacks on Google in China and the Stuxnet virus, which targeted industrial plant and machinery, and is thought to have been designed to attack Iran’s nuclear programme.

It was not clear if the Night Dragon attacks were state-sponsored, said Mr Day. Circumstantial evidence, such as the fact that all the attack activity took place during the Chinese business day, suggested China was involved but it was by no means conclusive.

Equally, the fact that during its investigation McAfee uncovered the identity of one individual based in China who provided invaluable aid and computer resources to those behind the attacks did not mean everything was backed by China.

The clues could be misdirection, said Mr Day.

“The attackers did not seem to be at all careful in covering their trail,” he said. “Was that just they were not that skilled or were they trying to leave a bread crumb trail to paint a false picture?”

Corporates were going to have to get much better at analysing the attacks hitting them, said Mr Day, if they were to avoid falling victim in a similar way.

“We have had a decade of cyber crime all about ‘write it, randomly spray it and see who falls foul’,” he said. “In the next decade many attacks will have a more specific purpose and they will keep going until they are successful.”

From the BBC:

WikiLeaks among nominees for Nobel Peace Prize!

OSLO (Reuters) – Anti-secrecy website WikiLeaks has been nominated for the 2011 Nobel Peace Prize, the Norwegian politician behind the proposal said on Wednesday, a day after the deadline for nominations expired.

The Norwegian Nobel Committee accepts nominations for what many consider as the world’s top accolade until February 1, although the five panel members have until the end of the month to make their own proposals.

Norwegian parliamentarian Snorre Valen said WikiLeaks was “one of the most important contributors to freedom of speech and transparency” in the 21st century.

“By disclosing information about corruption, human rights abuses and war crimes, WikiLeaks is a natural contender for the Nobel Peace Prize,” Valen said.

Members of all national parliaments, professors of law or political science and previous winners are among those allowed to make nominations. The committee declined to comment on the WikiLeaks proposal or any other nominations.

Washington is furious at WikiLeaks and its founder Julian Assange for releasing tens of thousands of secret documents and diplomatic cables which it says have harmed U.S. interests abroad, including peace efforts.

Assange, An Australian, faces extradition to Sweden from Britain for questioning in a sex case which he and his supporters say is a smear campaign designed to close down WikiLeaks, a non-profit organization funded by the public and rights groups.

Awarding WikiLeaks the prize would be likely to provoke criticism of the Nobel Committee, which has courted controversy with its two most recent choices, jailed Chinese pro-democracy activist Liu Xiaobo and President Barack Obama a few months after his election.


The prize was endowed by Alfred Nobel, the Swedish inventor of dynamite, who said in his will it was to be awarded to whoever “shall have done the most or the best work for fraternity between nations, for the abolition or reduction of standing armies and for the holding and promotion of peace congresses.”

In past decades the committee, appointed by the Norwegian parliament, has stretched Nobel’s definition to include human rights, climate activism and even micro-financing, which have been a source of criticism from Nobel traditionalists.

Nobel watchers say a prize for WikiLeaks would highlight the growing role of specialist Internet sites and broad access social media in bringing about world change.

Sites such as Twitter and YouTube have played important roles in mobilizing people in countries with a tight grip on official media, such as Egypt where mass anti-government protests have been taking place.

Kristian Berg Harpviken of the PRIO peace think tank in Oslo agreed that innovative use of “new tools for bringing about peace” could be a major theme in this year’s Nobel, but he said he expected the prize to go to a woman after a series of male recipients.

His strongest tip was the Russian human rights group Memorial and its leader, Svetlana Gannushkina.

The nomination deadline may make it difficult for Middle East nominees should mass protests there produce peace.

Egypt’s Mohamed ElBaradei won the prize in 2005 as head of the International Atomic Energy Agency, the U.N. nuclear watchdog. Although theoretically possible, no individual has won the peace prize twice. The Red Cross has won three times.