By Daniel Fowler
In an effort to protect themselves by focusing on continuity and resiliency, government and financial services firms have actually enlarged the cybertarget for attackers - and other sectors are following suit.
"Because we're more worried about bombs and [distributed denial of service] attacks, we've created backup data centers, we've backed up our fiber optics with wireless, we've increased remote user access - and all those basically increase the size of the target," said Tom Kellermann, vice president of security awareness for http://www.coresecurity.com Core Security Technologies and a member of the http://www.csis.org/tech/cyber/Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency.
Rather than having one target "behind layers of security, which used to be the primary financial data center or the government network itself, you can now attack the backup data center, you can now attack the remote user, you can now attack the wireless transmission layer - all of which were put in place for business continuity and resiliency purposes," said Kellerman, who was responsible for cyber-intelligence and policy management at the http://treasury.worldbank.org Word Bank Treasury from 1999 to 2006.
Kellermann called cybersecurity the "greatest national security threat" the United States has faced since the Cuban Missile Crisis.
"Every time you connect another IT system, another network, every time you keep spending that IT budget - you're increasing the risk to your assets, you're increasing the risk to the integrity and the confidentiality of your data," he said. "Stop focusing on the accessibility and availability of data."
The focus, Kellerman said, needs to be on building "better castles in cyberspace around our assets."
Q: How would you characterize the cybersecurity threat in the U.S.?
A: The threat is dire. Having seen it from the World Bank perspective for seven years, I recognize that most organized criminal syndicates around the world have built out a capacity for cybercrime because it's much easier than human trafficking or drug trafficking in terms of just stealing money and funds and identities, and intellectual property for that matter. The reality also - as documented by the FBI - is that 108 countries have developed cyber-attack capabilities.
They're not just using these capabilities for their governments and their intelligence communities. They're actually sharing these capabilities with the private sector in those countries, so they can assist them in getting comparative advantage - example being, let's steal company X's intellectual property and bring it to market faster.
Then you've seen - as demonstrated by terrorist groups - that the modern day silk road is cyber crime.
Look at Ibrahim Samudra, who was the Bali bomber. He testified in his court hearing that he financed the $200,000 effort that it took to kill
202 people through cybercrime. He even wrote a 20-page white paper in Arabic that was distributed widely throughout Indonesia on how to hack systems and what are the strategic weaknesses and perimeter defenses in e-commerce sites. You've seen a huge uptake in the amount of hacking from Indonesia since that was distributed. So, we need to recognize that it's a bidirectional flow, the water of the Internet.
Q: What can be done about it?
A: Encryption and firewalls and virus scanners are all very useful, but they are not the end all be alls. The perimeter defenses that have been put in place that are being traditionally relied on by e-commerce, e-government and e-financial institutions are not being successful because of the reality that the attackers are strategically overwhelming our defenses by going above and beyond them, much like the modern day Maginot Line.
Why did the Nazis bypass the amazing fortifications set up by the French? Because those fortifications were based on a threat that was going to come right at them, fortifications that were expecting the threat never to go around them or above them. That's basically how we've set up our defenses for e-commerce and e-government. We're way too reliant on firewalls and virus scanners and encryption to protect ourselves.
One fundamental weakness is that we are not testing our defenses enough.
We're not actually testing ourselves to ascertain what are the weaknesses in our policies, procedures, personnel and all these technologies we've got in place. What are the cracks in the armor per se if they bypass my moat, my firewall and get around my encryption, my walls? How are my guards reacting with the dogs and the castle keep?
That is one of the fundamental weaknesses - from a sports perspective - is we are really not scrimmaging enough. I mean we're just kind of just sitting out there and waiting and our incident response plans are screwed up because we patch and clean instead of assuming that when they've compromised the system, they've stolen all of our credentials and they've set up secret passage ways back in. . . . What I'm trying to say is right now when we get hit by something, we patch and clean when we should be realizing that when someone gets into your system the number one thing they do is steal your credentials. The number two thing they do is set up a secret passageway back in, a back door.
We should be plugging those back doors, identifying them, plugging them and changing all of our authentication or access controls or credentials . . . immediately and then actually testing, conducting pen testing, which is basically ethical hacking from that system to everything it touches because most of the time your network diagrams are not up to date so you're not really sure where they could have gone if they'd penetrated this system.
So, what you should be doing is looking at your system from the vantage point of an attack and really respecting how there are fundamental gaps and prioritizing your security spending on the basis that these guys are playing a game of chess and they are playing eight to nine moves ahead.
We've been playing a game of defensive chess that's based on two or threes moves ahead, and it's just not lining up.
Q: In January, President Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23. The approval "formalized a series of continuous efforts designed to further safeguard Federal Government systems and reduce potential vulnerabilities, protect against intrusion attempts, and better anticipate future threats,"
states the Homeland Security Department's Web site. Do you think the federal government is doing enough to defend against cyberthreats?
A: I think there are many people in the federal government that do not have the resources they need to get the job done. I think that the chief information security officer community in particular has been marginalized too much, and needs to have budgets independent of the traditional IT budget that trickles down to them. I think that the presidential initiative is a huge leap forward, but realistically it's a drop in the bucket and we need far more attention and far more funding than has been allocated by that effort. I do commend the effort because it is at least an acknowledgement of the problem. Considering the overall IT budget of the federal government - and you look at the amount of spending that's being done to protect our soft underbelly in that directive - you realize that it's a great leap forward, but it's still a drop in the bucket.
Q: You are a member of CSIS' Commission on Cybersecurity for the 44th Presidency. As a member of that commission, can you discuss some of the recommendations that we should expect?
A: We are working on recommendations now. I don't have the luxury of speaking to the recommendations we'll be issuing with the exception of we're looking at it through a multi-disciplinary lens with a certain respect, an homage to the adversary. That being said, we're really trying to grapple with the diverse issues that overlay both policy and technology that represent why this is an over-arching threat. This is essentially the leukemia of American society.
Q: What is the most important message that you personally think could come out of this commission?
A: That this is a real governance issue that shouldn't be reserved for the techie geeks and nerds, but the policymakers themselves need to get involved and need to recognize that this is not just a national security issue, but an economic security issue and that every program and every operational aspect of your job involves something that is dependent upon computers. And, if you do not build in the risk management, risk assessment capabilities for those programs and for those policies, they will end up turning on you. I think it's important to note that this is a fundamental operational risk issue.
Q: On a scale of one to 10, 10 being the most prepared, how prepared are the U.S. government and the private sector in terms of cybersecurity?
A: Six (for the government). Certain sectors do better than others. I would give them a five.
Q: Is there enough collaboration between the government and the private sector in terms of cybersecurity?
A: No. There needs to be more of that. But, there's always this whole information sharing issue that goes on. There needs to be more sharing.
There needs to be less classification of the data. The reason why I say that - and this is an important point to make - is the irony is that the government will classify data incidents, tactics, techniques whereas in the underground those techniques, incidents and even those systems that have already been compromised are being exchanged freely. That kind of puts us behind the eight ball.
I understand the need to classify data. But, at the same time, you could eliminate some of the details of the who and when and just distribute the why. Because for those of us who work in this space, the fact that we get better intelligence and information from the underground than we do from our government is highly problematic - and I'm not a hacker.
Q: You were previously senior data risk management specialist for the World Bank Treasury Security Team. What is the World Bank doing in terms of cybersecurity that you think other entities could learn from?
A: That's interesting. Four things actually. One, they've taken the chief information security officer position out from underneath the CIO.
Two, they regularly conduct penetration tests on themselves and third parties that provide services. Three, they implement two-factor authentication for all privileged personnel and or people that would be transacting and touching critical systems. . . .
It's something you know, something you have or something you are. It's not just something you know and something you know. What I mean is not just a password and recognition of an image. It's like a smart card and a password, or a smart card and a biometric or a smart card and a one-time use password like a secure ID token. It's just two things that don't involve something you know because the problem with something you know is the adversary can become omniscient because the adversary can see everything you do on your computer and so if they're already inside you then they've compromised everything if your authentication, your access control is solely based on something you have to type in. So, if it's a smart card or a biometric or a one-time use password that generates every 60 seconds, that helps you insulate yourself from an already compromised device or system.
Four, the leadership of the World Bank is regularly debriefed now on the severity and the issues involved here, not to mention they're actually moving forward with trying to assist other governments and banks. The reason why that's important is that in the financial sector, much like in government, there are so many tendrils. There are so many connections with other important entities that you have to have a line of communication with that even if you do good housekeeping at home, if they get polluted that water comes down stream.
Q: The new chairman of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security recently called financial services an "inherently connected" sector, noting that if "one network gets penetrated" it could quickly become a national or global issue. Should cybersecurity for this sector be different than for others?
A: It should be different. It has to be different because of all the payment systems. The financial services sector is the most heavily targeted and I think they've been overly focused on business continuity and denial of service attacks for too long now. I think they really need to deal with the epidemic of cyber infiltration that's impacting them.
One important report that I would point to for that regard is the FDIC puts out a technology incident report every quarter and the most recent one said . . . that there was an increase in unauthorized access to systems, but most importantly most of the unauthorized access was unknown in origin, which means that they're hitting your system from the inside out, that they've already compromised a device or something within your perimeter so that none of your firewalls and information detection systems are picking up where the hell it's coming from.
That being said, they need to pay far more attention to the third party relationships they have. They need to pay far more attention to the Web hosting, data warehouses, business continuity relationships they have and thoroughly test those entities for weaknesses before getting in bed with them, and during the relationship as well. So, that is the paradigm shift I would ask them to consider.
But they have a massive, a massive challenge in front of them and they know it. In large part because of the fact that in the yesteryear it was far easier to overlook the cybersecurity incidents because it wasn't directly impacting the bottom line because the global payment systems couldn't have been impacted by cyber-attacks because they weren't all truly IP based, number one, and two is they ran transactions plus one day or two days, which means in doing that . . . it allows you to unwind a fraudulent transaction the next day. So hey, someone stole a million dollars last night through the system, I can unwind that and bring that money home.
Now they're doing it in what's called straight through processing and that inherently allows someone - once you've opened the barn door - to take as much as they want. They've moved fully to IP based systems. The Fedwire system, which is how the Treasury communicates and the Fed communicates with major banks, and the Swift system, which operates around all tier-one banks around the world are now on IP based networks, which means they're now more vulnerable to attack.
The financial sector is too reliant on Public Key Infrastructure [PKI] to defend themselves, much like the government is. The reality of public key infrastructure is simple. It's an encryption solution that governments and banks utilize. The problem with it is two-fold. One, the private key that unlocks all the ciphers is typically stored on a C drive and if I can compromise the operating system of that c-drive, I can own the key. Then, I can hide in your encrypted tunnel so you can never track me.
Two, the certificate authority that issues certificates that legitimizes users around the world doesn't have very good security either. So, if I can compromise the certificate authority and issue myself certificates or make other certificates' integrity questionable, I can compromise the system.
The reason why I stress this to you is because they are over-reliant on PKI and business continuity and not sufficiently focused on increasing testing of themselves and third parties, improving authentication, improving remote access security and improving their incident response capabilities, based on the phenomenon of cyber-infiltration, versus denial of service and disruption of business.
Daniel Fowler can be reached at dfowler@cq.com.
Source: CQ Homeland Security
C 2008 Congressional Quarterly Inc. All Rights Reserved.
