Cybercrime is now allegedly a bigger problem in the UK than street crime, but hackers may not be the biggest problem. The US government takes cybersecurity concerns so seriously that last year the Under-Secretary for Economic, Energy and Agricultural Affairs made pointed comments to Chinese representatives at a joint government event about threats ranging from "the theft of money or information, or the disruption of competitors, to nationalism and the extension of traditional forms of state conflict into cyberspace".
Cyber-espionage, cyber-war: do we really need to worry about them — and if we do, what can we do about them? Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners sets out to answer both questions via a comprehensive survey of the potential threats, the incidents we know about, the tools we could use to detect and protect against attacks, and the legal basis for all of this.
The book is also crammed with details that keep it from being too dry a treatise — right from the foreword, where the president of security experts The SANS Institute confesses to being fooled into friending a fake Facebook persona (luckily for him, set up by a security researcher). The short final section of perspectives from a range of security experts is thought-provoking, but mostly this is a rigorous analysis of every aspect of cyber-war and defences against it.
The more formal sections are admittedly on the dry side, but they're thorough enough to make this an effective training manual. In such an anecdotal and nebulous area, it's useful to have a survey of the situation — including clear definitions of threats and how detection and response fits in with the current military organisation and doctrine. The analysis of who's responsible for what is US-focused, but there's an excellent of survey of the official position of key nations around the world on the national security considerations of digital attacks.
It's interesting to compare this with the separate list of official organisations responsible for cyber-warfare in different countries — and the authors make it clear which they feel are there for defence and which are for attack. They also touch rather delicately on the question of moving from 'ethical hacking' and penetration testing to Western nations training cyber-warriors of its own to attack its enemies.
This can make for some odd juxtapositions. If cyber-warriors sit in front of a keyboard instead of driving a tank, the criteria for choosing them and the threats they will face are very different. So we're not sure why the authors compare possible resistance to recruiting children and senior citizens to the position of gays in the military. Similarly, the section on how to do social engineering shades gradually into interrogation techniques.
Whether you're a potential cyber-warrior, or just educating yourself, there's a useful survey of some of the most useful tools for gathering information online: from scraping metadata from files with Metagoofil, to tracking down personal details with Maltego, to scanning systems for vulnerabilities with Nmap, Nessus and OpenVAS to breaking into them with Netcat, CANVAS and Metasploit to obscuring attacks by tampering with logs — or changing your IP address to look as if you're attacking from China.
It's salutary to see quite how poorly passwords protect you when there are tools like Hydra and John the Ripper freely available, and to be reminded how easily Wireshark can capture unencrypted VOIP conversations. Equally, you may be surprised to discover that the popular anonymising proxy TOR was developed in conjunction with the US Naval Research Laboratory for 'intelligence gathering' (as spying is politely called).
There are briefer suggestions for defending against the different categories of tools and techniques, which boil good security practice down to bite-size nuggets. The most valuable lesson you can take away from the book is that the real vulnerability in any system is people. The difference from most computer security books is that Cyber Warfare also covers attacking — and defending — hardware, as well as the people using the computers. That ranges from speculating about the effect of targeted salmonella in a facility to a brief tutorial on picking locks, to a discussion about how much easier it was to take down the commercial ISPs in Iraq in 2003 (who were all connected to a single Cisco switch) than the government connections running over a satellite link imported from the US via Iraq. It doesn't delve into the Stuxnet attack in detail but there's a comprehensive discussion of control systems that might be vulnerable.
Some of the examples are both fascinating and frustrating. We probably aren't going to find out whether the 1982 explosion of the trans-Siberian gas pipeline really was caused by the CIA putting malware into plans for a control system that the KGB stole from Canada. The details of official surveillance programmes in the US and UK (Carnivore, Echelon, Magic Lantern, Einstein and Perfect Citizen) are also necessarily brief and unofficial. But the details of the 1990 counterfeit capacitor electrolyte that caused counterfeit capacitors to fail early — including the ones in the first Apple AirPort — are satisfying, and it's nice to get a realistic explanation of what an electromagnetic pulse device can and can't do.
Cyber attacks are far from new — and yes, they're real. Back in 1989 Clifford Stoll wrote the still-engaging Cuckoo's Egg about tracking Soviet Bloc infiltrators in networks run by the US Department of Defense (DoD). In 1998 attackers traced to Russia targeted systems at NASA, there were significant attacks on the DoD in 2003 and 2008 (the latter leading to the banning of USB thumb drives) and in 2007 denial-of-service attacks from Russia effectively took Estonia offline for two weeks.
None of these incidents have led to more than harsh words, because it's never been proven whether individuals or official government departments are behind them. A series of attacks on the DoD in 1998 nicknamed Solar Sunrise was originally blamed on Iraq, but turned out to be Californian teenagers who'd learned from an Israeli hacker. At the end of Cyber Warfare you won't have a definitive answer on whether a true cyber-war is imminent. What you will have is a far better idea of the complexity of the situation, and a clear view of where to start evaluating threats to your infrastructure and how to protect against them.
Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners
By Jason Andress, Steve Winterfeld