Defending Against Targeted Attacks in the Age of Cyber Espionage - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

Breaking

Defending Against Targeted Attacks in the Age of Cyber Espionage

Howard Schmidt has done it all. He's handled security for Microsoft and eBay. He served as Special Assistant to the President and as Cybersecurity Coordinator for the government. Currently he's a partner, along with former DHS Secretary Tom Ridge, in consulting company Ridge-Schmidt Cyber. In his capacity as chairman of the International Advisory Board for Kaspersky Labs, he conducted a fascinating panel on targeted attacks and cyber espionage at the recent Kaspersky Cybersecurity Summit.

The other panelists brought knowledge and experience from various industries. Fred Schwien, Director of Homeland Security Programs & Strategy, The Boeing Company, must deal with security at all levels, starting with the supply chain. (Schwien joked, "My paycheck is pegged to the number of letters in my title.") Joe Sullivan, Facebook's CSO, worries more about the electronic realm, naturally. Rounding out the panel, Eugene Kaspersky is the founder, Chairman, and CEO of global security giant Kaspersky Lab. I can't report the entirety of the wide-ranging discussion, but I'll hit the high points.

Schmidt: "When we look at the issue of supply chain, Fred, in your work supply chain is everything. You have rivets, engines, seats, things very critical to your business and to the government. How do you see the supply chain in your critical infrastructure world?"

Schwien: "I like to say, the new 747 is six million parts flying in formation. We work hard to secure the chain, to ensure that things are made to spec and not corrupted. We have a weekly group specific to the supply chain." Schwien went on to elaborate on the many ways aviation companies and government agencies share information, including classified briefings from the FBI, TSA, and more.

Schmidt: "Joe, Fred is talking about big infrastructure, government agencies, transportation. How about Facebook? I assume you have plenty of vendors you depend on, so that's a supply chain issue. How do you deal with that?"

Sullivan: "People put their trust in us, so we look not only at the website but at every area that could be vulnerable. We think about four things, the front end, the back end, our employees, and our vendors. We have a comprehensive plan for each, and we strive for a constant state of improvement." Sullivan noted that when Facebook added a bug bounty for server-side vulnerabilities they gained valuable insight from the research community.

Schmidt: "Eugene, you've blogged about this. A breach doesn't have to be a frontal assault. We saw a big retailer compromised through a seemingly unrelated vendor. How do you and your team look at working with a supply chain?"

Kaspersky: "It's a bit complicated. I represent ID security, and I am a paranoid. Enterprises must think not only about their own security but about their suppliers. It's not just the companies that provide parts for a huge company like Boeing. The restaurants, the lunchroom, they provide a service. Do they connect to your network? Do you offer taxi service? Does it have Wi-Fi? You have to think about all direct and indirect suppliers." He related a discovery by Kaspersky Lab researchers. In checking a company that develops SCADA applications for powerplants, they discovered a backdoor. Whoever planted it got full access to the technology, and the ability to modify the source code. "If your supplier was infected, you can't rely on your data anymore," said Kaspersky. "It's good news for IT security, bad news for the rest of the world."

Schmidt: "Eugene, when you look at the whole global world footprint, you're blocking APTs for Microsoft, Boeing, Facebook...How do the little guys benefit?"

Kaspersky: "Cybercrime is a different story. They want money. They don't want to kill you, or ruin your reputation, or steal your secrets. If a small company got hit by cyberespionage, somebody made a mistake."

Schmidt: "Joe, where do you put your efforts toward securing the supply chain?"

Sullivan: "We look at whether third parties can meet published standards, but that's not enough, and you can't draw conclusions based on the size or age of the company. We audited a 15-person company that was really secure because it was built with security in mind. Another vendor, a major financial institution, limited passwords to eight characters, no special characters, and no distinction between capital and small letters. You can't judge by size."

Schmidt: "Eugene, for ten years we've been hearing 'antivirus is dead.' Is that true?"

Kaspersky: "What's that Mark Twain quote? Rumors of its death are greatly exaggerated. Antivirus signatures exist, they're still important, just not the most important. Like the seatbelt in your car; you have to have it, but it's not the most important part."

Schmidt: Fred, Tom Ridge mentioned security-related regulations. Those exist here and in every country. You can be compliant yet still be insecure. How do you deal with regulations as a global company?"

Schwien: "Sometimes we call an aircraft a global mobile industrial control system. A plane that picked me up at Newark left from Singapore and took me to Tel Aviv. We work in the environment for each country." Schwien noted that US regulations are often the strictest, the gold standard, for both physical and cyber security. He went on to quote General Keith Alexander, former head of the NSA, about the US cyber defense team: "We have the best team in the world, but they're still in the locker room."

Sullivan: "To wrap up, the biggest problems for use have been threats that are brand new. Signatures would not have worked. We need more investment in security outside our borders, and when dealing with new vulnerabilities we need to develop new ways of protection. Information sharing is key."

Kaspersky: "What must be done? The world must be split in three categories, individual, enterprise, and critical infrastructure. We need no regulation on individuals, on Facebook users. But we need strict regulation of critical infrastructure security. Enterprises, they're in between. We need education. Most important, we need special government regulation for security officer tests. They must pass a paranoia test! This will change the world."

There you have it. Protect the supply chain, make sure crucial security information is shared, and ensure that all security officers pass the paranoia test. Audience members showed great enthusiasm.

By Neil J. Rubenking (SecurityWatcha)

No comments:

Post a Comment