cyber security report

You may be able to easily identify people who could, legitimately or not, gain physical access to your computer—family members, roommates, co-workers, members of a cleaning crew, and maybe others. Identifying the people who could gain remote access to your computer becomes much more difficult. As long as you have a computer and connect it to a network, you are vulnerable to someone or something else accessing or corrupting your information; however, you can develop habits that make it more difficult.
Lock your computer when you are away from it. Even if you only step away from your computer for a few minutes, it’s enough time for someone else to destroy or corrupt your information. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information.
Disconnect your computer from the Internet when you aren’t using it. The development of technologies such as DSL and cable modems have made it possible for users to be online all the time, but this convenience comes with risks. The likelihood that attackers or viruses scanning the network for available computers will target your computer becomes much higher if your computer is always connected. Depending on what method you use to connect to the Internet, disconnecting may mean disabling a wireless connection, turning off your computer or modem, or disconnecting cables. When you are connected, make sure that you have a firewall enabled (see Understanding Firewalls for more information).

Evaluate your security settings. Most software, including browsers and email programs, offers a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of the software, or if you hear of something that might affect your settings, reevaluate your settings to make sure they are still appropriate (see Understanding Patches, Safeguarding Your Data, and Evaluating Your Web Browser’s Security Settings for more information).
What other steps can you take?
Sometimes the threats to your information aren’t from other people but from natural or technological causes. Although there is no way to control or prevent these problems, you can prepare for them and try to minimize the damage.
Protect your computer against power surges and brief outages. Aside from providing outlets to plug in your computer and all of its peripherals, some power strips protect your computer against power surges. Many power strips now advertise compensation if they do not effectively protect your computer. Power strips alone will not protect you from power outages, but there are products that do offer an uninterruptible power supply when there are power surges or outages. During a lightning storm or construction work that increases the odds of power surges, consider shutting your computer down and unplugging it from all power sources.
Back up all of your data. Whether or not you take steps to protect yourself, there will always be a possibility that something will happen to destroy your data. You have probably already experienced this at least once— losing one or more files due to an accident, a virus or worm, a natural event, or a problem with your equipment. Regularly backing up your data on a CD or network reduces the stress and other negative consequences that result from losing important information (see Real-World Warnings Keep You Safe Online for more information). Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don’t need to back up software that you own on CD-ROM or DVD-ROM—you can reinstall the software from the original media if necessary.

View More : https://www.us-cert.gov/ncas/tips/ST04-003

IEEE Security & Privacy‘s readers are concerned with not only security and privacy but also safety and dependability. This issue focuses on all four aspects of the technology we use daily.

To subscribe digitally to IEEE S&P magazine, go here.

IEEE Security&Privacy

Volume 14, Issue 2

From the Editors

Reflections of an NSF Program Officer

Jeremy Epstein

DOI: 10.1109/MSP.2016.45

Abstract: Program officers direct government research funding priorities. This column gives a personal perspective on life as a program officer focused on security and privacy at the US National Science Foundation, explaining the value of such service to the community and the individual.

Interview

Silver Bullet Talks with Jamie Butler

Gary McGraw, Cigital

DOI: 10.1109/MSP.2016.38

Abstract: Gary McGraw talks to Jamie Butler, the chief technology officer and chief scientist at Endgame, about attacking back, rootkits, OS security, and more.

Guest Editor’s Introduction

The IEEE Security and Privacy Symposium Workshops

Terry Benzel, University of Southern California Information Sciences Institute

DOI: 10.1109/MSP.2016.29

Abstract: To bring some of the IEEE Symposium on Security and Privacy Workshops to a wider audience, IEEE Security & Privacy magazine’s editorial board decided to devote one special issue each year to a reprise of selected symposium papers. This year, the special issue focuses on two of the Security and Privacy Workshops held in conjunction with the symposium. Three articles discuss security in Web systems, and the fourth describes the emerging field of privacy engineering and the motivation, content, and results of the first workshop on this topic.

IEEE Security and Privacy Symposium

Bake in .onion for Tear-Free and Stronger Website Authentication

Paul Syverson, US Naval Research Laboratory
Griffin Boyce, Berkman Center for Internet & Society at Harvard University

DOI: 10.1109/MSP.2016.33 [paywall]

Abstract: Although their inherent authentication properties are generally overlooked in the shadow of the network-address hiding they provide, Tor’s .onion services might just deliver stronger website authentication than existing alternatives.

IEEE Security and Privacy Symposium

Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser

Amit Levy, Stanford University
Henry Corrigan-Gibbs, Stanford University
Dan Boneh, Stanford University

DOI: 10.1109/MSP.2016.32 [paywall]

Abstract: Website publishers can derive enormous performance benefits and cost savings by directing traffic to their sites through content distribution networks (CDNs). However, publishers who use CDNs must trust they won’t modify the site’s JavaScript, CSS, images, or other media en route to end users. A CDN that violates this trust could inject ads into websites, downsample media to save bandwidth, or, worse, inject malicious JavaScript code to steal user secrets it couldn’t otherwise access. The authors present Stickler, a system for website publishers that guarantees the end-to-end authenticity of content served to users that simultaneously lets publishers reap the benefits of CDNs. Crucially, Stickler achieves these guarantees without requiring modifications to the browser.

IEEE Security and Privacy Symposium

Analysis and Mitigation of NoSQL Injections

Aviv Ron, IBM
Alexandra Shulman-Peleg, IBM
Anton Puzanov, IBM

DOI: 10.1109/MSP.2016.36 [paywall]

Abstract: NoSQL data storage systems have become very popular due to their scalability and ease of use. Unfortunately, they lack the security measures and awareness that are required for data protection. Although the new data models and query formats of NoSQL data stores make old attacks such as SQL injections irrelevant, they give attackers new opportunities for injecting their malicious code into the statements passed to the database. Analysis of the techniques for injecting malicious code into NoSQL data stores provides examples of new NoSQL injections as well as Cross-Site Request Forgery attacks, allowing attackers to bypass perimeter defenses such as firewalls. Analysis of the source of these vulnerabilities and present methodologies can mitigate such attacks. Because code analysis alone is insufficient to prevent attacks in today’s typical large-scale deployment, certain mitigations should be done throughout the entire software life cycle.

IEEE Security and Privacy Symposium

Privacy Engineering: Shaping an Emerging Field of Research and Practice

Seda Gurses, Princeton University
Jose M. del Alamo, Universidad Politécnica de Madrid

DOI: 10.1109/MSP.2016.37 [paywall]

Abstract: Addressing privacy and data protection systematically throughout the process of engineering information systems is a daunting task. Although the research community has made significant progress in theory and in labs, meltdowns in recent years suggest that we’re still struggling to address systemic privacy issues. Privacy engineering, an emerging field, responds to this gap between research and practice. It’s concerned with systematizing and evaluating approaches to capture and address privacy issues with engineering information systems. This article serves to illuminate this nascent field. The authors provide a definition of privacy engineering and describe encompassing activities. They expand on these with findings from the First International Workshop on Privacy Engineering (IWPE), and conclude with future challenges.

Web 2.0

Cleaning up Web 2.0’s Security Mess–at Least Partly

Benjamin Stritter, Friedrich-Alexander University of Erlangen-Nuremberg
Felix Freiling, Friedrich-Alexander University of Erlangen-Nuremberg
Hartmut Konig, Brandenburg University of Technology
Rene Rietz, Brandenburg University of Technology
Steffen Ullrich, genua gmbh
Alexander von Gernler, genua gmbh
Felix Erlacher, University of Innsbruck
Falko Dressler, University of Paderborn

DOI: 10.1109/MSP.2016.31 [paywall]

Abstract: Everyone loves Web 2.0 applications. They are easy to use and fast, and can be accessed from any computer or smartphone without installation. They let us easily communicate and share data with one another, shop simply, and access vast amounts of information. However, they’re also frequently mentioned in connection with novel exploits, data leaks, or identity theft. Active content, tight integration, and the overall complexity of the continuously evolving Web 2.0 technology create new risks that we can hardly grasp. Turning back on the technology is not a solution because we would lose many features that we’ve come to rely on. But how can we achieve both a pleasant user experience and security in a place as messy as the Web 2.0 landscape? First, we can look to understand the wide range of attacks as well as the complex security situation and attack surface of Web 2.0 applications. Second, we can study the open research challenges in this field and assess how best to approach these issues.

Federal Trade Commission

Assessing the Federal Trade Commission’s Privacy Assessments

Chris Jay Hoofnagle, University of California, Berkeley

DOI: 10.1109/MSP.2016.25 [paywall]

Abstract: Regulators worldwide need to keep tabs on companies caught violating consumer protection rules. Assessments by outside accounting firms are a key tool for regulators to detect privacy and security problems. It’s not widely known that an assessment, a term of art in accounting, is a less-intense evaluation than an audit. Also, in practice, assessments overseen by America’s top consumer protection cop, the US Federal Trade Commission, fall short of what’s needed to ensure that information-intensive companies are protecting privacy and honoring promises. This article outlines five practical steps to make company oversight more effective.

It All Depends

Dynamic Certification of Cloud Services: Trust, but Verify!

Sebastian Lins, University of Cologne
Pascal Grochol, University of Cologne
Stephan Schneider, University of Cologne
Ali Sunyaev, University of Cologne

DOI: 10.1109/MSP.2016.26 [paywall]

Abstract: Although intended to ensure cloud service providers’ security, reliability, and legal compliance, current cloud service certifications are quickly outdated. Dynamic certification, on the other hand, provides automated monitoring and auditing to verify cloud service providers’ ongoing adherence to certification requirements.

Education

Rethinking the Role of Security in Undergraduate Education

Sarah Zatko, Cyber Independent Testing Laboratory

DOI: 10.1109/MSP.2016.40 [paywall]

Abstract: Security tends to be an afterthought in undergraduate computer science education. Given the increasing prevalence of data breaches, applied security content should be integrated throughout the curriculum. Such integration can be achieved through subtle but consistent changes to existing courses.

In Our Orbit

Security for the High-Risk User: Separate and Unequal

John Scott-Railton, Citizen Lab, Munk School of Global Affairs, University of Toronto

DOI: 10.1109/MSP.2016.22 [paywall]

Abstract: Civil society groups, which tend to use commodity tools and popular online platforms, are increasingly targeted by cyberattacks to disrupt their activities and steal their private information. Such cyberthreats deserve our attention, first, because they expose the default-insecure options in online platforms and, second, because addressing the most glaring cases will confer stronger security for the common user.

More Information : http://cybersecurity.ieee.org/blog/2016/04/28/ieee-security-privacys-special-issue-on-the-ieee-symposium-on-security-and-privacy/

Five Things to Know: The Administration’s Priorities on Cybersecurity
Protecting the country’s critical infrastructure — our most important information systems — from cyber threats.
Improving our ability to identify and report cyber incidents so that we can respond in a timely manner.
Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.
Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.
Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.
Cyberspace touches nearly every part of our daily lives. It’s the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation. It’s the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at any time in human history. We must secure our cyberspace to ensure that we can continue to grow the nation’s economy and protect our way of life.

The Administration is employing the following principles in its approach to strengthen cybersecurity:

Whole-of-government approach
Network defense first
Protection of privacy and civil liberties
Public-private collaboration
International cooperation and engagement
On February 12, 2013, President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” Read more about Executive Order 13636.

Protect Critical Infrastructure

The government must work collaboratively with critical infrastructure owners and operators to protect our nation’s most sensitive infrastructure from cybersecurity threats.   Specifically, we are working with industry to increase the sharing of actionable threat information and warnings between the private sector and the U.S. Government and to spread industry-led cybersecurity standards and best practices to the most vulnerable critical infrastructure companies and assets.

The Administration issued E.O. 13636, Improving Critical Infrastructure Cybersecurity, in 2013
The Administration launched a follow-on Cybersecurity Framework, a guide developed collaboratively with the private sector for private industry to enhance their cybersecurity, in 2014
Improve Incident Reporting and Response

We must enhance our ability to detect and characterize cyber incidents, share information about them, and respond in a timely manner.  These efforts encompass network defense, law enforcement, and intelligence collection initiatives, so we can better understand our potential adversaries in cyberspace.

Awareness of a cyber threat or incident – and quickly acting on that information – are critical prerequisites to effective incident response. As directed in E.O. 13636, the U.S. Government has developed systems and procedures to increase the timeliness and quality of cyber threat information shared with at-risk private sector entities. We are placing great emphasis on unity of effort by agencies with a domestic response mission
Engage Internationally

Because cyberspace crosses every international boundary, we must engage with our international partners.  We will work to create incentives for, and build consensus around, an international environment where states recognize the value of an open, interoperable, secure, and reliable cyberspace.   We will oppose efforts to restrict internet freedoms, eliminate the multi-stakeholder approach to internet governance, or impose political and bureaucratic layers unable to keep up with the speed of technological change.  An open, transparent, secure, and stable cyberspace is critical to the success of the global economy.

We are continuing to pursue the policy objectives laid out in the U.S. International Strategy for Cyberspace including:
Developing international norms of behavior in cyberspace
Promoting collaboration in cybercrime investigations (Mutual Legal Assistance Treaty modernization)
International cybersecurity capacity building
Secure Federal Networks

We must improve the security of all federal networks by setting clear targets for agencies and then hold them accountable to achieve those targets. We are also deploying improved technology to enable more rapid discovery of and response to threats to federal data, systems, and networks.

The Cybersecurity Cross Agency Priority (CAP) Goal represents the Administration’s highest cybersecurity priorities for securing unclassified federal networks.
Shape the Future Cyber Environment

We are also looking to the future. We are working to develop a cyber-savvy workforce and ultimately to make cyberspace inherently more secure. We will prioritize research, development, and technology transition and harness private sector innovation while ensuring our activities continue to respect the privacy, civil liberties and rights of everyone.

The federal government is partnering with the private sector and academia to encourage and support the innovation needed to make cyberspace inherently more secure.

Credit : https://www.whitehouse.gov/issues/foreign-policy/cybersecurity