Cybersecurity

Automated tools have become so ubiquitous that attacks against Internet-connected systems are commonplace. Because of this, the number of incidents reported offers little insight into the scope and effects of these attacks. Possibly as a consequence of this evolution, the Computer Emergency Response Team Coordination Center (CERT®/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI) no longer publishes the number of reported incidents or vulnerabilities.

Nevertheless, numerous national surveys, conducted among samplings of U.S. businesses, government executives, security experts and others in the public and private sector show that companies are not doing enough to protect themselves against cybercrimes.

The worldwide monetary loss from cybercrime attacks in 2017 $172.2 billion. This figure could very well be imprecise and most likely underestimated, because many companies tend to deal with data breaches quietly and do not report them. And while respondents continue to be most concerned with intruders from outside their organizations, a considerable number continue to report damage caused from within. Reporting such occurrences does not bode well for a company’s image or public trust.

Wombat

Interestingly, China suffered the worst losses at $66.3 billion; Brazil was ranked second with $22.5 billion in losses, while the U.S. was ranked third at $19.4 billion.

The first study ever to link specific online behaviors with the potential for becoming a victim of cyber crime, conducted by Computer Associates (now CA) and the National Cyber Security Alliance (NCSA), showed that up to 83 percent of adults who use social networking sites expose themselves to hackers and identity thieves.

Although social networking sites, such as FaceBook, Twitter and Craigslist previously had been examined from the standpoint of physical security issues, including sexual predators, this survey examined users’ online behavior and the possibility of other threats such as fraud, identity theft, computer spyware and viruses.

Results of the survey updated in 2016 revealed that there were 809 data breaches in the United States and more than 30 million records exposed. This figure is certainly expected to increase geometrically in recent years, due to three billion Yahoo accounts that were compromised, as well as the hundreds of millions of others at the likes of Apple, AT&T, Chase, Citigroup, Deloitte, ebay, Equifax, the Federal Reserve Bank of Cleveland (including the Pittsburgh branch), Monster, Nintendo, Sony Pictures, Stanford University, TD Ameritrade, Trump Hotels and Walmart, to name only a few.

The CA/NCSA survey mentioned above reported some emerging general trends:

• The majority of data breaches are caused by weak or stolen credentials, some form of hacking or malware. Financial motives make up 75 percent of these attacks, and surprisingly only 14 percent were from insiders. (This is in stark contrast to the previous “Cybersecurity in the Pittsburgh Region” white paper, last updated in 2014, when internal breaches made up the preponderance of attacks.)

• Cybercrime costs the average U.S firm $15.4 million a year.

• When it comes to American households, only 30 percent have rules limiting the kind of personal information their children can share on social networks.

In a separate study, Pew Research found that 91 percent of American adults say that consumers have lost control over how their personal information is collected online and used by companies.

Privacy, Parenting and Teens

Since practically the entire planet is digitally-connected, teens constantly access, use and share information with their peers. Yet many say they withhold from their parents information about what they do online. Highlights from a recent survey from NCSA and Microsoft include:

• Sixty percent of teens say they have created an account that their parents were unaware of, such as on a social media site or for an app they wanted to use. In contrast, only 28 percent of parents say they were aware their children had created such accounts.

• Only 13 percent of teens report that their parents are completely aware of the full extent of their activities, while 17 percent say their parents are only somewhat aware.

• Twenty-one percent of teens believe their online activities should be kept private from their parents.

• Nearly half (47%) of teens are very concerned about having someone access their accounts without permission.

• Only nine percent of teens say they would talk to their parents all the time about the problems they encounter online. In contrast, 30 percent of parents say their children are likely to communicate with them all the time about online problems.

Consumer Concerns

Retail businesses gathering customer information to identify spending behavior and consumers plugging in bank information to buy the latest product have made it easier for cybercriminals to hack stored data from vulnerable devices.

Among the recent findings from various privacy and security-related studies:

• Forty-eight percent of consumers said their greatest concern was a potential security-related hacking into a home system.

• By comparison, privacy concerns about protecting personal information were cited by only 33 percent of respondents.

• The 25 to 34 year old demographic is driving the majority of mobile payments activity for in-store purchases, with almost 50 percent saying they use mPayments at least once a month.

• A Pew Center study found 81 percent of parents said they were very or somewhat concerned about how much information advertisers can learn about their child’s online behavior.

• Eighty-eight percent of people know that identity theft is a potential issue when using public WiFi, however 39 percent of public WiFi users have accessed sensitive information and 25 percent have logged into their online bank accounts while on public WiFi.

Internet of Things

From a security standpoint, the internet of things (IoT) is driven by personal information, allowing it to evolve into an internet of me and making it increasingly important to understand what personal information is being used to access new smart devices.

Following are some key findings from an NCSA survey in cooperation with ESET, a premier internet security software maker:

• A majority of respondents (88%) have thought about the fact that IoT devices, and the data they collect, could be accessed by hackers.

• Fifty percent have been discouraged from purchasing an IoT device due to concerns about cybersecurity.

• Nearly one in four use an app from their mobile device or computer to remotely access or control devices in their home (e.g., front door lock, home security system, TV, thermostat.)

• Seventy-seven percent know that some cars may be vulnerable to hacking, and 45 percent are somewhat or very concerned that their cars could be hacked.

• A majority (85%) know that some computer webcams can be accessed by hackers to spy on them, and 29 percent are or have be been afraid that someone might have accessed their webcams or video calls without their consent.

Wearables

It is important to remember that consumer generated health data is not protected by the Health Insurance Portability and Accountability Act (HIPPA) and other data privacy assurances. Personal data culled from all types of wearables, such as fitness trackers and smart watches, provide tremendous insight into an individual’s state of health and lifestyle, but can find its way to employers, third parties and cyber culprits. This can result in a range of privacy vulnerabilities, including identity theft, employee discrimination and leaked health records.

• The retail value of wearables is projected to hit $45 billion in 2021.

• Gartner estimates that more than 1.4 billion health and fitness units will ship by 2020, up from roughly 300 million today.

• In a PricewaterhouseCoopers study on fitness devices, 70 percent of respondents had concerns about their data being transmitted via smartphone and 78 percent took issue over the security of their medical data.

Healthcare

As the proliferation of connected information has transformed our day-to-day lives, medical professionals are tapping into the connected world by eliminating hard copy filing and moving into digital record keeping. Likewise, patient and insurance companies are able to view and access Social Security numbers, financial information and medical history, all from connected devices, serving as a gateway for hackers.

• Healthcare data breaches involving more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights by mid-year in 2016. During the same period in 2015, 143 data breaches were reported.

• A Ponemon Institute study found nearly 90 percent of healthcare organizations suffered at least one data breach in the last two years.

• Under HIPPA, it’s illegal for healthcare providers to share patients’ treatment information, yet more than 30,000 reports regarding privacy violations are received each year.

• According to a recent study by the Healthcare Information and Management Systems Society, the vast majority of provider respondents (77%) cited medical identity theft as cyber criminals’ primary motivation.

• Criminal attacks are the leading cause of half of all data breaches in healthcare; employee mistakes, third-party snafus and stolen computer devices are the root cause of the other half.

Social Media

Social media activity continues to be one of the most popular online activities around the globe, including everything from personal news updates, photo sharing and live streaming video. However, contrary to the popular perception that social networking is an activity enjoyed almost exclusively by teens, a Pew Internet and American Life study showed that the majority all networking site users are adults. The growing number of adults using these sites is an indicator of the potential security risks.

As convenient as these platforms are to communicate, privacy settings don’t always prevent personal information from being shared beyond the intended audience and without a user’s knowledge.

• Eight-two percent of cyber stalkers use social media to learn information about potential victims, such where they live and which school they attend.

• According to a Pew Research Center study, 16 percent of teen social media users said they set up their profile or account so that it automatically includes their location in posts. Of this same study, 64 percent of teens with Twitter accounts say that their tweets are public.

• The NCSA/Microsoft survey revealed that from a privacy perspective, teens report that they are very concerned about someone:

– sharing personal information about them online (43%).

– having a photo or video shared that they wanted to keep private (38%).

– receiving unwanted communications that make them uncomfortable (32%).

Tracking and Responses

The FBI periodically details a wide range of known criminal cyber activities. Viruses, worms, Trojans, computer intrusions, Web site attacks and defacements, denial-of-service attacks, identity theft, privacy breaches and child pornography are included as just some of the better known examples.

Attackers fall into a range of categories, including disgruntled and dismissed employees, domestic and overseas competitors, terrorists and even foreign governments, exemplified by how Russia meddled in the U.S. elections of 2016. Scores of Web sites are now readily vulnerable to international hackers and virus writers in numerous languages and cultures.

Types of attacks have a spectrum of their own, ranging from the $45 million stolen from ATMs worldwide by hacking into consumer prepaid credit card accounts, to the cyber Pearl Harbor warned of by former Defense Secretary Leon Panetta. The secretary singled out the country’s utility grids, financial networks and transportation systems as being particularly vulnerable.

As government, global e-commerce and mass computer use continue to grow, cybersecurity initiatives become all the more pressing. Simultaneously, progressive changes in intruder techniques increase the difficulties of predicting or detecting attacks or of limiting their potential damages. In short, such sophisticated threats demand truly sophisticated responses. As a result, President Obama signed an executive order in February of 2012 directing federal agencies to develop standards for improving cybersecurity in the private sector. Amid such a backdrop, southwestern Pennsylvania has become the premier center of excellence in cybersecurity.

CERT® Coordination Center

The first organization of its kind, the Computer Emergency Response Team Coordination Center (CERT/CC) was created in Pittsburgh in 1988, part of Carnegie Mellon University’s Software Engineering Institute, is a nationally recognized cybersecurity center that has been leading the way in computer security response and research since its inception.

Following the Morris worm incident, which brought 10 percent of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with establishing a center to coordinate communication among experts during security emergencies and to help prevent future incidents on a national basis.

Today, working with the Department of Homeland Security, CERT/CC alerts U.S. industry, defense contractors and computer users worldwide to potential threats to the security of their systems and provides information about how to avoid, minimize or recover from the damage. The center has played a key role in coordinating responses to major security events, such as the Code Red worm, Melissa virus and, most recently, the DNS Changer, the Rootkit viruses and the Flame and Olympic Games Trojans.

The CERT/CC’s primary charge is to preempt or respond to any threats to the security of the Internet, and the millions of computers connected to it, and to analyze product

vulnerabilities that place organizations and individuals at risk. The CERT Program partners with government, industry, law enforcement, and academia to develop advanced methods and technologies to counter large-scale, sophisticated cyber threats.

The CERT/CC is part of  the SEI’s CERT program, which ensures that appropriate technology and systems management practices are used to resist attacks on networked systems, to limit damages and to ensure continuity of critical services in spite of successful attacks (survivability.) Numerous alerts, vulnerability reports, educational guides and other statistics are published by CERT each year.

To accomplish its mission, CERT/CC is organized into several different work areas that encompass key capabilities and products.

Coordination

The CERT/CC works directly with software vendors in the private sector, as well as government agencies to address software vulnerabilities and provide fixes to the public. This process is known as coordination.

The CERT/CC promotes a particular process of coordination known as Responsible Coordinated Disclosure. In this case, the CERT/CC works privately with the vendor to address the vulnerability, before a public report is published, usually jointly with the vendor’s own security advisory. In extreme cases when the vendor is unwilling to resolve the issue or cannot be contacted, the CERT/CC typically discloses information publicly 45 days after the first contact attempt.

Software vulnerabilities coordinated by the CERT/CC may come from internal research or from outside reporting. Vulnerabilities discovered by outside individuals or organizations may be reported to the CERT/CC using the CERT/CC’s Vulnerability Reporting Form. Depending on severity of the reported vulnerability, the CERT/CC may take further action to address the vulnerability and coordinate with the software vendor.

Knowledge Base and Vulnerability Notes

The CERT/CC increases awareness of security issues and helps organizations improve the security of their systems by disseminating information through many channels. Previously CERT/CC published vulnerability reports on a more routine basis in the CERT KnowledgeBase. Vulnerability Notes include information about recent vulnerabilities that were researched and coordinated, and how individuals and organizations may mitigate such vulnerabilities. Although the CERT/CC has not published annual vulnerability report totals since 2008, its archive catalogs approximately 41,000 vulnerability reports from other sources worldwide.

Vulnerability Analysis Tools

The CERT/CC provides a number of free tools to the security research community. Some tools offered include:

  • CERT Tapioca—a pre-configured virtual appliance for performing man-in-the-middle attacks. This can be used to analyze network traffic of software applications and determine if the software uses encryption correctly, etc.
  • BFF (Basic Fuzzer Framework) — a mutational file fuzzer for Linux
  • FOE (Failure Observation Engine) — a mutational file fuzzer for Windows
  • Dranzer—Microsoft ActiveX vulnerability discovery

Training

The CERT/CC periodically offers training courses for researchers, or organizations looking to establish their own Product Security Incident Response Team.

While there is only one CERT Coordination Center, the staff of more than 150 has helped foster 67 computer security incident response teams (CSIRTs) around the world, providing them with guidance and training. The CERT/CC coordinates with these teams to respond to computer security issues. Many of the teams are members of the Forum of Incident Response and Security Teams, of which the CERT/CC is a founding member.

The CERT’s Virtual Training Environment (VTE) meets the needs of training Department of Defense and others in information assurance. The VTE has been well received by the DoD and its use is growing. In any given year, the VTE has delivered approximately 120,000 hours in training.

The first U.S. Secretary of Homeland Security Tom Ridge recognized the CERT/CC as “a key element to our national strategy to combat terrorism and protect our critical infrastructure.” Accordingly, the Department of Homeland Security announced a partnership with the CERT/CC to create US-CERT, a coordination point for reducing the frequency and impact of cyber attacks. US-CERT, which monitors all federal networks, includes other partnerships with private-sector security vendors and international organizations. These groups work together to coordinate national and international efforts to prevent cyber attacks, protect systems and issue responses to cyber attacks.

In 2008, CERT/CC Computer Forensics team was recognized by U.S. House of Representatives Murtha, Doyle, and Altmire for their role in the indictment of 11 individuals by the U.S. Department of Justice for the largest identity theft case in history.

The CERT/CC also has received national recognition by trade and newspaper outlets for their efforts in developing best practices to prevent insider threat attacks. CERT/CC researchers are consistently top presenters at RSA, the largest security conference in the U.S., and they are routinely asked to testify before Congress and advise at numerous federal agencies. Including the FBI, the Secret Service and the U.S. Postal Service.

CERT/CC’s private sector activities account for between 10 and 15 percent of its revenues. 

FBI/Pittsburgh – Computer Crimes Task Force

The Pittsburgh office of the FBI has been a leading cyber crime-fighting unit since 2000, when it became the first branch to hire an official computer science agent. During the same year, FBI/Pittsburgh and the CERT/CC joined forces in the formation of the Pittsburgh High-Tech Computer Crimes Task Force, a first of its kind in the nation.

As a unit of consolidated federal, state and local law enforcement, the task force was created with the purpose of pooling technical and investigative resources trained in computer technology and cyber crime in order to advance the mission of all enforcement agencies. The Pittsburgh High-Tech Computer Crimes Task Force provided forensic examination, intelligence and technical assistance to all agencies encountering computers during the course of their investigations.

Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, or any unlawful acts wherein the computer is either a tool, a target or both.

Unlike traditional types of crimes, however, technology has made it more difficult to answer the who, what, where, when and how of both traditional and non-traditional criminal activity. As a result, evidence in the digital space must be handled differently. The task force meets these evolving challenges as part of its mission.

There are several categories of crimes facilitated by a computer in which the FBI task forces is involved. One facet of computer crimes occurs when a computer is used as a tool to aid criminal activity including, but not limited to:

  • the storing records of fraud
  • financial crimes perpetrated by computers, like credit card frauds, making counterfeit checks and paper currency
  • money laundering
  • producing false identification
  • intellectual property crimes, like software piracy, copyright and trademark infringement, theft of computer source code, etc.
  • collecting and distributing child pornography
  • cyber stalking
  • internet fraud schemes, like phishing and auction fraud, etc.
  • unauthorized access to computer systems or networks
  • theft of information
  • denial of service
  • virus/worm attacks
  • Trojan attacks
  • web jacking and extortion.

Task force members include:

  • U. S. Attorney’s Office, Western District of Pennsylvania
  • Federal Bureau of Investigation
  • U. S. Postal Inspection Service
  • U. S. Defense Criminal Investigative Service;
  • U. S. Internal Revenue Service – Criminal Investigation
  • U. S. Secret Service
  • Pennsylvania Office of the Attorney General
  • Pennsylvania State Police
  • Allegheny County Sheriff’s Office
  • Allegheny County District Attorney’s Office
  • Allegheny County Police
  • Port Authority of Allegheny County Police
  • City of Pittsburgh Bureau of Police
  • U. S. Attorney’s Office, Western District of Pennsylvania

A regional forensic and training center allows businesses to run test hack scenarios to measure how well security initiatives perform.

Since 2000, similar task forces have been deployed in every FBI field office. And in 2002, the FBI reorganized to create its own cyber division. This division simultaneously supports FBI priorities across program lines, assisting counterterrorism, counterintelligence and other criminal investigations when aggressive technological investigative assistance is required.

NCFTA

The National Cyber Forensics & Training Alliance (NCFTA) is the first partnership of its kind in the nation, and it grew out of the work performed by the Pittsburgh High-Tech Computer Crimes Task Force. It was established in 2002 as a non-profit partnership among private industry, government and academia for the sole purpose of providing a neutral, trusted environment enabling collaboration and cooperation to identify, mitigate and disrupt cyber crime. Members of the NCFTA jointly developed and staffed facilities, where program participants benefit from cyber-forensic analysis, tactical response development, technological simulation/modeling analysis and the development of advanced training.

The NCFTA provides a venue where critical confidential information about cyber incidents can be shared discreetly, and where resources can be shared among industry, academia and law enforcement. The Alliance facilitates advanced training, promotes security awareness to reduce cyber-vulnerability and conducts forensic and predictive analysis and lab simulations. These activities are intended to educate organizations and enhance their abilities to manage risk, develop security strategies, collaborate on best practices, detect and combat illicit cyber activities.

President Barak Obama in a White House 2009 Cyberspace Policy Review had named NCFTA as one of three international organizations that stand out as an “effective model” in national cyber security.

For the years 2015 through 2017, the NCFTA:

  • referred 1,068 cases to law enforcement
  • produced 4,451 intelligence reports
  • contributed to 489 arrests
  • assisted law enforcement in seizures worth $188.8 million
  • prevented losses totaling $1.6 billion

Classes and conferences, such as “Introduction to the Deep Dark Web” and “Virtual Currency: Opening Up a Whole New World for Criminals” are held throughout the year in Pittsburgh, New York and Los Angeles.

Future partnerships will be established in regions where interest exists to combine resources, intelligence, and expertise more effectively. These additional partnerships will be linked together, enhancing the resources fundamental to this project. This coordinated and decentralized approach will empower regional teams with vital information and expertise in a timely and efficient manner

University Contributions

Pittsburgh is home to a number of other cybersecurity assets. In 2004, Carnegie Mellon University became one of only two institutions in the U.S. to receive National Science Foundation (NSF) funding for the study of a branch of cybersecurity, called Security Through Interaction Modeling. Carnegie Mellon received $6.4 million, just eclipsing the University of California at San Diego, which received $6.2 million.

Carnegie Mellon’s large faculty in cybersecurity-related fields and significant levels of funding at its Software Engineering Institute are important assets in the development of a larger cybersecurity market in the Pittsburgh region..

Since education is a necessary component of safeguarding the computer network, Carnegie Mellon also initially invested $6 million in 2003 to inaugurate the CyLab

Security and Privacy Institute, one of the largest university-based cybersecurity education and research centers in the U.S. CyLab is multi-disciplinary and university-wide, involving seven different departments and schools from CMU, more than 50 faculty, along with more than 250 graduate students. CyLab currently is supported almost exclusively by private funding, such as competitive contracts, grants and more than 20 industry partnerships.

Past and current partners have included, but are not limited to:

  • 3M
  • Boeing
  • Eaton
  • Facebook
  • LG Electronics
  • Lockheed Martin
  • Northrop Grumman
  • Rockwell Automation
  • Sandia National Laboratories
  • Siemens

Pittsburgh-based company members have included RedMorph and UPMC.

CyLab’s mission is to design, develop and create new secure, trustworthy and sustainable computing devices, hardware and communications systems for advancing and improving the nation’s capabilities in response and prediction to attacks. CyLab seeks to educate individuals at all levels in addressing the threats to the country’s cyber infrastructure by providing technology, resources and expertise in four areas:

  • Technology transfer to and from the public sector
  • Technology transfer to and from the private sector
  • Development of information assurance professionals
  • National awareness programs and tools

CyLab is an NSF CyberTrust Center, and it is a key partner in NSF-funded Center for Team Research in Ubiquitous Secure Technology. CyLab also is a National Security Agency (NSA) Center of Academic Excellence in Information Assurance Education, as well as a Center for Academic Excellence in Research, also designated by the Department of Homeland Security.

Housed in the 25,000 square-foot Collaborative Innovation Center on CMU’s campus, CyLab offers more than 50 courses in privacy and security and has trained more than 75,000 people in that discipline. It is a four-time champion of the World Series of Hacking.

Carnegie Mellon’s most well-known contribution to this arena is the Software Engineering Institute, which has designed and continuously is developing a curriculum to teach system and network administrators about information assurance, including a set of skills to help them integrate security policy, practices and technologies into their operational infrastructure. This Survivability and Information Assurance curriculum is to be offered at community colleges across the country, making such education affordable and accessible to professionals and employers.

At the University of Pittsburgh, the Department of Information Science and Telecommunications has established the Laboratory of Education and Research on Security Assured Information Systems (LERSAIS). This premier program focuses on the diverse problems related to security and survivable information systems, networks and infrastructures, while developing and supporting high quality education in security and information assurance.

Since the spring of 2004, LERSAIS has hosted numerous seminars on information security presented by leading experts from all over the country. As a result, The

University of Pittsburgh has been designated as a National Center of Academic Excellence in Information Assurance Education,  and since their inaugural year in 2004, it is one of only 10 Centers in the U.S. that have maintained a commitment to retaining the certification. The designation is awarded jointly by the NSA and the Department of Homeland Security.

It continues to serve as a multidisciplinary forum for the synergistic interaction among researchers within survivable information systems, as well as other experts in information assurance-related areas outside the school.

One example of this academic excellence is the NSA-approved curriculum to train security professionals in three computer security standards. These standards are training for:

  • information systems security professionals
  • designated approving authorities
  • system administrator professionals.

Curriculum also includes subjects, such as “Validating Computer Security Methods,” “Privacy Enhancing Techniques for Social Network” and “My Smartphone Knows What You Print.”

In addition, LERSAIS was given the Department of Defense (DoD) Information Assurance Scholarship award for partnering with the National Defense University’s Information Resource Management College (NDU/IRMC). Under this program, a student who has been studying under certificate programs at NDU/IRMC can pursue the security assured information systems track in the Department of Information Sciences and Telecommunication with a Department of Defense scholarship.

Private Sector

Although many large U.S. corporations and government agencies manage computer security in house by hiring their own staff of experts, the market estimates for cybersecurity spending range between $60 billion and $137.8 billion in 2017, and it is expected to increase to $232 billion by 2022. Watchdog groups have estimated that the U.S. federal government alone spent approximately $28.5 billion in 2016, up from $10 billion just three years earlier.

Part of this anticipated growth will be fueled by the financial services industry, where worldwide spending on security-related products and services has reached $499 billion in 2017.

More than 40 businesses in southwestern Pennsylvania indicate some level of involvement and expertise in cybersecurity, and all are poised to take advantage of the growth trend. Included in this community are hardware and software designers, cybersecurity consulting services, developers of monitoring software and tracking devices, and manufacturers of technical surveillance and security counter-measures equipment.

Netronome Systems, Wombat Security Technologies and (Company Names) are just a few of the organizations driving the region’s progressive cybersecurity efforts.

The Pittsburgh region continues to solidify its claim of a center of excellence in

cybersecurity. The private firms that operate within this emerging cluster are only part of the picture. The presence of university-based and government agencies also attract a disproportionate share of federal funding for research, development and national cybersecurity services.