An Inside Perspective on Cyber Security
Preview of the threat landscape
The threat landscape is everywhere, foreign nations, unethical industry competitors, criminals, and individuals or organizations seeking to create fear or chaos. The two that concern me the most are foreign nations and criminals. On the criminal side, identity theft is an extreme cancer affecting our country and the world. It has taken on aspects we had not really considered before, such as; filing your income taxes for you and collecting the refund; refinancing your house while you are living in it, and taking out loans from your 401K. These individuals are successful due to the complete lack of identity management in the U.S. I will give you an example, a lady I know had her identity stolen. It was detected about 90 days later when she did her quarterly credit report check, but when she pulled the other two credit reports from the competing companies she noticed more accounts had been created than what was reported on the credit report from the company she was using. This is issue number one: whatever appears on one credit report should be shared to all other credit agencies. The criminal was able to open charge accounts and started using them without her knowledge. As she started to get that under control, the criminals went to a department store where she had a credit account and got themselves added to the account (which should never have been possible). The criminals then used a credit repair company to get complete credit reports from the three major companies thus providing the criminals the rest of the data they did not already have. When the lady contacted the credit repair company, they declined to provide her any information on how the account was set up, who set it up, or what information they used to establish the account. Their response was that the account was established using the victims information, but it was obvious the account was not set up by the victim, so they would not provide her any information. National level identity management, or new laws targeted to help victims could take away this avenue for criminals.
"Cyber defense is not going out and buying the latest and greatest software product or tool"
On the nation state side – the country is very ill prepared for cyber warfare. Individuals on the news channels keep talking about a cyber “Pearl Harbor” – but I hate to say it will not be that small. In looking at what the military is doing for cyber warfare – they have to establish Cyber Warfare units who spend almost zero time on actual cyber warfare. Cyber warfare is not just a virus, or exfiltration of information from an adversary, or advanced defenses – it is much, much more. In all matters of diplomacy the Department of State evaluates “the other side” via a set of measurements known as DIMEFIL (Diplomacy, Information, Military, Economic, Finance, Intelligence, and Legal) – these are the Elements of National Power. These are the strengths of a country or organization – which also makes them targets for diplomatic activities; I am sure we have all heard that the Military is the last act of diplomacy. If they are targets for diplomacy and the military – they are cyber warfare targets. With the total reliance of networks to share information and make everything accessible – then explicitly targeting DIMEFIL targets via cyber warfare could be devastating. And, at this time, we do not evaluate our defenses nor do we evaluate the adversary’s actions in cyberspace from the perspective of the effect on our elements of national power. These elements are our lynch pins holding our country together – in looking back at the economic crisis of 2008, we can begin to see what could be possible by a constructed cyber-attack across our DIMEFIL elements.
Preventing Cyber Intrusion into Your Control Systems
Cyber defense is not going out and buying the latest and greatest software product or tool. It does include tools and different products, but primarily it is appropriately sized and trained IT operations and IT security staffs; it is detailed process and procedures that everyone is trained on and are regularly updated, and it is designing the network environment not for ease of maintenance, ease of traffic flow, or limiting costs – it is designing the network to protect your data and defend yourself against very talented adversaries. You build the environment for defense first, and then you figure out how to operate within those defenses.
Having the Right Tools to Shape Cyber Security Systems
You start with a better set of tools. The tools available on the market today are very inadequate. I believe the reason they are inadequate is because the tool designers do not understand the needs of network operations and defense as a combined activity. It is those widely known problems that eventually lead to open doors that adversaries take advantage of. For example, ask any U.S. government organization if the ports and protocols in use on their network matches 100 percent of the ports and protocols documented in their accreditation packages – the hundreds of time I have looked, they have never matched. We have a desperate need for tools for the basics.
Two Important Cyber Security Initiatives
The first is education. Our universities do not teach the basics in cyber security – and thus it is a serious problem. The University of Maryland University Center does have a Cyber Security program that has been very successful and their students have a very high rate of employment after graduation. There program strives for improvement and recently they won the world wide cyber security Olympics in Spain – to me that should have been an important news item.
The second is the NIST Cyber Security Framework. The framework is not an end-all for all security measures and practices – but it is a giant step forward in the way security is treated.
Securing the Cloud
I have found that securing a cloud has been almost identical to securing a data center in my facility. The big differences are twofold; are you allowing customers access to your cloud; and the process and procedures for employee connections to the cloud? Clouds with customer access are treated just like your old hard datacenter. Customers access the public faceable systems only, and they never have access to the primary copy of any data. Employee access to operate, maintain, and make data updates must be controlled. This type of access takes place from a controlled subnet of the company facility. You can’t always prevent all intrusions – but you can limit their impact; by following these types of guidelines.
Lessons from a CSO
You have to stay more on top of all security notices and cyber activities worldwide. My biggest challenge is being a “Security Educator”. The majority of interfaces I have with customers – they believe their security is “Good enough” regardless of what you show them about their environment. They feel if they have no data showing up in hacker forums, then they have not been broken into – so why worry about it. And, there is not really a reason to spend needed capital to stop activities you have no evidence of taking place, even if you show that their security is in very bad shape. Security is an annoyance and an afterthought.
Instead of “If you build it, they will come” – it is now “If they break it, we will fund”.