Government // Cybersecurity
News
1/18/2013
12:25 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Offensive Cybersecurity: Theory And Reality

Can you -- and should you -- strike back at attackers? It's a complex question with ethical, legal, technical and practical considerations.

InformationWeek Green - Jan. 21, 2013 InformationWeek Green
Download the entire Jan. 21, 2013, issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Storage Innovation

Faced with the failure of preventive security, going on the attack is an appealing concept. But is it worth the risk? Israeli anti-spam startup Blue Security thought so. The company created a technology that let customers fire back at spammers by blasting opt-out messages to the source of unwanted email; the company maintained centralized control by researching the origin of spam. Essentially, it went on the offense in a big way by creating a botnet -- an army of computers launching denial-of-service attacks through the Internet. Its technology might have made a real dent in spam operations. Then, in mid-2006, Russian mobsters warned Blue Security to stop operations and threatened to launch their own counterattacks. In the face of ongoing attacks, CEO and founder Eran Reshef returned funds to investors and killed the company.

Blue Security faced other challenges, too. Botnet attacks harm the Internet infrastructure and could be considered illegal. Most network operators shied away, so the company was constantly looking for hosting. Still, getting threatened by the Russian mob is a whole other level of intimidation. Organized malware and spam is a big business, and the criminals aren't likely to back off in the face of anything a typical company can throw at them.

Even so, the appeal of striking back is understandable. Whether the damage is a distributed denial-of-service attack (DDoS) forcing a website off the Internet or malware stealing intellectual property, attacks hurt companies. We've spent millions on information security, and what have we to show for it? Most defenses are static, set in advance so attackers can learn to bypass them at their leisure. Most coping mechanisms are reactive. We respond only after a threat is discovered -- if it's discovered -- and probably too late.

Our full report on offensive cybersecurity free with registration.

This report includes 21 pages of action-oriented analysis. What you’ll find:
  • Strategic Security Survey data on the top reasons for increased vulnerability
  • Top breach/espionage threats: cybercriminals tied for No. 1
Get This And All Our Reports

The U.S. military has maintained for some time that it is legally justified in using military force to retaliate against a cyber attack. Presidential Policy Directive 20, signed by President Obama in October after Congress didn't pass the Cybersecurity Act, establishes standards for the federal government's response to attacks, and cybersecurity is specifically addressed in the 2013 National Defense Authorization Act. But for those of us without drones at our disposal, it's still too soon to go on the offensive. I believe the time will come that companies can do so, but for now the legal, ethical, operational and technological challenges are too daunting.

Who's The Attacker?

Even trying to figure out who's responsible for an attack against your systems is difficult. In international law, if a missile is launched from one country into another, we know the entity responsible, regardless of who actually pushed the button. On the Internet -- with millions of compromised computers belonging to botnets -- can a country, or a service provider for that matter, be held responsible for actions by systems in its jurisdiction?

A few years ago, a friend who is a U.S. federal law enforcement officer was tasked with fighting online financial fraud, specifically phishing. He soon discovered the IP address of a computer behind one attack. His team kicked in the owner's door, only to find a family completely clueless that their computer was being used in the phishing scheme. This is called the Trojan horse defense, in which the device owner claims to be unaware: "A hacker broke into my computer."

To read the rest of the article,
Download the Jan. 21, 2013 issue of InformationWeek

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/25/2013 | 7:09:20 PM
re: Offensive Cybersecurity: Theory And Reality
The concept of offensive security is definitely attractive, but in reality, it can be a slippery slope. What seems to make the most sense "offensively" is fighting back with disinformation or phony data if you know the attacker is inside, for example.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.