The Cybersecurity Canon: The Internet Police: How Crime Went Online, and the Cops Followed

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee MemberHannah KuchlerThe Internet Police: How Crime Went Online, and the Cops Followed (2014) by Nate Anderson

Executive Summary

The Internet Police is a solid primer to many of the cases that helped define law online – from fighting against child pornographers to litigating against the masses who have downloaded music illegally. Nate Anderson, deputy editor at technology news site, Ars Technica, writes clear and, at times, entertaining tales about a large variety of online crime, including the creation of the Silk Road and the colorful lives of spammers.

But the book lacks an overarching narrative that would put the cases in context and help the reader to draw conclusions about the future of online enforcement. While useful for someone with an interest in learning more about specific court cases, it is not essential reading for the cybersecurity community and so does not make the cut for the Cybersecurity Canon.

Review

The Internet Police begins in a place that law enforcement agencies find hard to reach: a platform in the middle of the North Sea.

Sealand may be only seven miles from the English coast, but it is a separate jurisdiction that specialized in hosting sites, such as online gambling portals, that were prohibited in other countries. This offshore platform illustrates the fundamental problem of policing the Internet: bytes can travel across borders in seconds, always finding somewhere happy to host them.

This is one of the three major challenges for online law enforcement that Nate Anderson sets out at the start of The Internet Police. The second is that the structure of the Internet means network intelligence is stored on peoples’ computers, not in a central depository easily accessed by law enforcement. The third problem is that anonymity rules online, making it hard to identify individuals with any great certainty, even when armed with an IP address.

However, Anderson quickly goes on to explain why these three challenges were not ever as difficult as the so-called “Internet police” had feared.

To help address the jurisdiction problem, he argues the police could pursue online criminals based in their own country and rely on extradition from friendly countries. The decentralized structure still has its pressure points, such as ISPs and large Internet companies, which could be pushed into disclosing information. Finally, “anonymity,” he said, “turned out to be the province of the deeply skilled” and committed to disguising their identity. With a court order, most police can obtain enough information to identify a suspect.

Anderson’s argument would be more powerful if he used more detailed data and examples to back it up. It is true that police and other agencies have become skilled in tracing online identities and the NSA revelations – which Anderson devotes his Afterword to – make it clear that government can use a few key access points to gain a treasure trove of sensitive information. But he does not detail how successful extraditions have been, or how many online criminals have made their homes in countries which are not friendly to the U.S. He also skips writing about cyberattacks and hackers completely, most of which have been able to use anonymity, foreign jurisdictions and the decentralized nature of the Internet to their advantage.

If there is any clear lesson from the examples detailed in the book, it is that you cannot fight online crime with traditional methods: you have to turn to technology. Even when a prolific spammer is located, hundreds of millions of dollars in fines can mount that will never be paid. But much of conventional spam is now filtered away from our inboxes automatically with algorithms.

The music industry spent years and vast amounts of money chasing illegal downloaders of songs, in court cases against individuals on modest incomes, which often turned public opinion against the big companies. Now, the industry just sends lists of IP addresses to the government to let tax dollars do the work.

Overall, The Internet Police lacks a behind-the-scenes insight into how cops more familiar with chasing criminals down the street made the transition to pursuing crime online. Anderson does not quote any police officers or show any deep understanding of how law enforcement had to train its staff or hire new, more tech-savvy officers to tackle new threats.

Anderson writes both about the crimes that the police are tackling and how the online tools they are using may overstep the boundaries of privacy. He touches on evergreen debates about how much data it is appropriate for the FBI to harvest, the uses and misuses of encryption, and stories of law enforcement bending the existing rules to suit their needs. These tales are interesting for those who need an understanding of how arguments that hit the headlines today have existed for decades.

But the author does not reach a strong conclusion about what police should be allowed to do online to keep the population safe – and what oversteps the mark into spying. He warns that citizens need to keep an eye on the police and their tools and make “prudential judgments.” Anderson advocates instead for “productive chaos,” writing at the end: “Life is a messy business on the Internet as it is everywhere else, and we are never going to engineer the mess out of it.”

[Palo Alto Networks Blog]

Here Are 5 Common Pitfalls in ICS Security – And What to Do About Them

As cyberthreats increase in both volume and sophistication, securing industrial control systems (ICS) becomes that much more challenging. Despite the varied nature of critical infrastructure, however, most weaknesses in current ICS security fall into one or more of five categories.

Let’s look at these ICS security pitfalls and how to address them.

  1. Weak passwords

Where possible you should establish and implement policies that require the use of strong passwords. This could include account lockout policies to reduce the chase of someone attempting brute force attacks though not ideal in a ICS environment, this would be more for a system that has to be internet facing.

If strong password enforcement is not something that can be done without risking safety, look at placing some other remediating factor in place like a firewall or terminal server that can facilitate strong password enforcement without impacting the ICS system itself.

  1. Poor patch management

As we’ve previously discussed, patch management is a tricky endeavor at best. If machines in an ICS infrastructure are properly implemented, all necessary ports and protocols have been identified to allow for proper software functions. In that case, frequent patching usually isn’t necessary because those systems are, for the most part, static in nature.

But that doesn’t mean you can ignore a patch management policy. Your ICS environment requires a plan and process by which apply patches as needed and when possible to help mitigate known vulnerabilities that constitute a threat to your environment. Keep in mind that not all vulnerabilities are a threat to your systems. For example, if you do not run web services on your system, it’s not necessary to patch web services – by doing so, you just increase the risk of damage to your system.

  1. Flat network design and/or unnecessary exposure to corporate resources and Internet.

Looking back, PCN, ICS, SCADA and other control type networks were designed at a time when network connectivity was not a concern. These system had true air gaps, and it was not until recent times that the increased need for data from these systems did necessitated that IT/OT start looking at providing network connectivity to the enterprise.

One important thing is to introduce ISA 62433 or network segmentation to your environment as as soon as possible. This act alone makes for easy of isolation of your critical assets and provides a clearly defined line of demarcation.

Another best practice is, if possible, to keep these systems from facing the Internet. You can minimize network exposure to control systems by locating them behind firewalls and isolate them from all unnecessary the business network services.

If your systems require remote access, look at employing secure methods that will allow for more granular control over access and provide record or log of enter into the system.

  1. No authentication to resources

If you isolate ICS behind a firewall you are able to enforce a higher level of access control. If firewalling the system is not an option, you should look at placing some other form of remediating system or device that requires login access.

  1. Default user accounts with default password

Last but definitely not least, when and where possible disable and or change the default user ID and password for your environment. It is understood that in the controls world safety is paramount and it is understood that when things go wrong you don’t want to have look through a long list of passwords and that you have 50 of these units and they aren’t centrally managed.

Sure, you’re saying: “It will take forever to change all the passwords on the units.” But you should come up with a password for those 50 and change them all, especially on intra/internet-facing assets. The time and energy it takes to make the change in the beginning is a lot less effort than tracking down and dealing with a break, let alone reporting up to C-level why the environment was compromised because of a password issue.

For more on Palo Alto Networks solutions for ICS, head here.

[Palo Alto Networks Blog]

English
Exit mobile version