matically. Because in-place human assets are no longer required, the time
needed to penetrate the whole of the
industrial base is significantly less
than it was in the 1980s. The man running his furniture business might not
think he will ever be a target because
he is ranked so low, but the attackers
will get to him, probably sooner rather
than later. We are in danger of thinking
about this as a low-paced environment
when the reality is it’s high paced.
BoRG: Cybercrime develops within
predictable places. Typical markers
are where you have unemployed people
with a high level of technical training,
where there is an ideological rationale
for the attack—because criminals like
to feel good about themselves—and
where there is some kind of criminal
organization to seed the effort.
As these pockets take hold, they often specialize in particular industries
or even particular companies. So, a
given, very famous, company will tell
you that most of its attacks come out
of a specific country. There is an opportunity for tampering with the ecology of the attackers and making their
CLaRK: At a minimum, all businesses should implement a basic level
of protection using established commercial products and services. Even
though there are many vendors in the
market who deliver the basics and do
it very well, many companies still do
not have basic protection.
Then the next stage is to say, “I’ve
done the basics. Now I need to understand whether I am in this next level
and a target.”
CREEGER: Given the current mantra
of putting things in the cloud, does
that make you more secure?
EPSTEin: Yes and no. I would argue
that for small companies and maybe
even midsize companies, on balance,
it’s a good thing. For that sector, it is
probably the first time that they’re getting some level of professional management and some opportunity for
the 24/7 monitoring they clearly need.
For large companies, it’s probably a
huge step backward.
CREEGER: Because it’s a one-size-fits-all security model?
noRTon: You have to have some basic quality criteria in the cloud providers.
EPSTEin: You need to have a way for
those small and medium-size companies to discern what type of security those cloud providers provide. A
company I worked with outsourced its
human-resources system, including
all its sensitive employee information,
to a cloud provider. I saw the administrator log in using a four-character
password, and I said, “You know, this
isn’t a good idea.” An employee, overhearing this, tried to log in with the
stock ticker symbol, was successful,
and was almost terminated for pointing out the vulnerability. The cloud
provider should almost certainly
shoulder some of the fault because
it turned out that the policy was to
accept a minimum of two-character
passwords, even for the administrator
account. The risk was increased because of the cloud, but the cloud provider was delegating the responsibility
to the customer, who didn’t have the
CREEGER: What I’m hearing is that
the bad guys are way ahead because
they’re more innovative and profit
driven. For the good guys, it’s buyer beware, and you must really try to understand your business’ realistic vulnerabilities. Always practice basic hygiene
and look to the security industry for
products such as intrusion protection,
firewalls, antivirus, and the like. Don’t
count on that really bailing you out,
however, if you are the target of a sophisticated and determined attacker.
The best advice is to recognize
what makes you unique in the market
and think honestly about how to protect those assets. This might include
spending some money on a computer-literate consultant who could actually
help you think through that process.
BoRG: You have to guard against
having the security consultant sell you
a universal solution that promises to
secure everything. You need to have a
specific strategy that addresses your
valued information assets.
CREEGER: Over time, the legitimate
computer security world will catch up,
and cloud service providers will have
tiered certifications designed to fit the
needs of specific industry sectors.
CLaRK: Yes, but the threat will have
moved on. We need to address the
fundamental asymmetry of this issue.
You will never catch up.
EPSTEin: I want to add outsourced
penetration testing as one more thing
to be done. Penetration testing does
not tell you where your problems are
or how many problems you have but
how screwed up you are. Gary McGraw
calls it a “badness-ometer.” Penetration testing is something that you can
take to the board to show real risk and
CLaRK: One needs to be cautious and
balanced about the way those findings
are presented. Penetration testers always find something. It is important
that people understand the context
of what is found, distinguish what is
important in addressing the issues
raised, and get to a known baseline.
The computer industry should help
educate people how their risk profile
ranks with similar organizations.
BoRG: Employees should never
be told to protect valuable assets. If
they’re told this, they usually protect
an object that may be expensive to replace but is not what creates or could
destroy value. How value is created is
a business’ most important asset, and
that is what people must focus their
protection resources on.
CREEGER: Maybe a recommendation
would be to take senior management
to an off-site meeting and ask, “If you
were a determined attacker to our
business, what would you do to damage it or to re-create its value for some
other set of shareholders?”
BoRG: When we investigate the vulnerabilities of companies, we always
get the engineers to sit down and red-team their own company.
CLaRK: If you take a slice across the
whole company and not just senior
management, you’ll get much more
value. You need an entire cross section of expertise and viewpoints.
noRTon: It’s not just about technology but a balance of people, process,
and technology. There is intelligence
at every level in your organization. The
lower levels are often untapped and
usually really understand where organizational vulnerabilities reside.
BianCo: You have to have the right
people on staff for this kind of effort.
You need to deploy business-specific
monitoring technologies and employ
someone knowledgeable to look at the
output of those systems.
Also, don’t be afraid to talk to other