Warnings of a cyber Pearl Harbor. Major breaches of classified computer networks. Hundreds of billions of dollars’ worth of corporate data stolen by hackers.
It’s easy to feel overwhelmed by the increasingly bad news in cyberspace, but there are a few bright spots. Government and commercial techies are finding some success in trying to protect computer users — often from their own careless behavior.
What follows are examples of those efforts, which experts hope will inspire others to become more security savvy.
●The State Department has created a risk-scoring program to make it easier for computer protection managers to identify trouble spots in their networks, then prioritize and fix them. Since July 2008, the program has scanned about 96,000 computers and servers every one to three days in embassies and department offices across the world to try to detect security vulnerabilities and instruct technicians on how to solve the biggest problems first.
In the program’s first year, the department corrected 89 percent of the security flaws on the computers. The department raised the bar in the second year and removed an additional one-third of the remaining known flaws that pose the biggest threats, officials said.
●The Pentagon has launched a pilot program to try to protect defense contractors’ networks, arguably the most valuable targets in the world, with hundreds of billions of dollars’ worth of weapons technology. The Pentagon has not made results public for the Defense Industrial Base (DIB) pilot, but initial results are promising, officials said.
As part of this program, the National Security Agency shared malicious software “signatures,” or fingerprints, as well as patterns of suspicious network behavior that can signal malware is attempting to enter a network. The NSA is sharing that data with Internet service providers such as AT&T, Verizon and Century Link, who agreed to use them to monitor Internet traffic of more than two dozen defense firms that agreed to participate.
The firms had the option, but not the obligation, to report the threat-monitoring success rate to the NSA. Several of those involved in the program said the sharing of information was a much-needed “confidence-building measure” between the government and key private sector players.
William Lynn, who served as deputy secretary of defense until last month, said this program “demonstrates in concrete and measurable terms the value of public-private partnerships in improving cybersecurity for the nation’s critical infrastructure.”
James A. Lewis, a cyber-expert at the Center for Strategic and International Studies, agreed: “After years of fumbling around, the enhanced DIB pilot is the most successful thing the U.S. has managed to do in cybersecurity.”
●Comcast, the nation’s largest residential Internet service provider, in 2009 began offering customers a free service to alert them when malicious software and viruses might be trying to get into their computers. The company does it by having contractors track the Internet protocol addresses of “command and control” servers around the world that criminals and others have used to issue malicious commands to people’s computers. The company also offers resources to help remove malware. These servers are the brains of “bot” armies — or Web robots, software applications that run automated tasks over the Internet and that criminals can use to send out spam, disable a Web site, and steal valuable personal data, such as Social Security numbers and credit card information.
When Comcast detects a suspiciously high number of “pings” from these bad IP addresses to a Comcast customer’s IP address, it tells the customer through Web browser alerts and e-mail.
●In Australia, the Defense Signals Directorate, an intelligence and homeland security agency, has found four key techniques that block most targeted attacks of low to medium sophistication. The agency is rolling out the techniques across the Australian government that other countries are watching.
One technique is “whitelisting,” forcing computer users to install only approved or “whitelisted” applications and read only approved e-mails. A second applies to people considered high-value hacker targets, such as computer system administrators. On their work computer, these users may only access their e-mail or browse the Internet with limited “privileges” to lower their chances of getting infected and spreading the damage into the system.
The other two techniques focus on rapidly patching high-risk security holes in applications and operating systems. The DSD, the Australian homeland security agency, points to Adobe viewer, Microsoft Office and Java as the most frequently exploited programs. Its complete document, “Strategies to Mitigate Targeted Cyber Intrusions,” is at www.dsd.gov.au/publications/top_35_
Many of the techniques compensate for lax behavior of everyone from the casual user to the security professional, said Alan Paller, research director of the SANS Institute, a cyber-training school in Bethesda.
Former National Security Agency information assurance director Richard C. Schaeffer Jr. has said that having secure computer settings and good network monitoring — including installing firewalls and antivirus software — can thwart “80 percent of commonly known” hacking methods.
Once an afterthought, security needs to be built into software and hardware, experts say. It is starting to happen, although not as widely as necessary, they say.
“The Internet is like a very dangerous highway with a lot of unsophisticated drivers,” Paller said. “If every driver were perfect and there were no drunk drivers on the road, you probably wouldn’t need seat belts and shock-absorbing bumpers.” But, he said, in cyberspace, everywhere you look, you find malicious attackers.