Cybersecurity Blog Cybersecurity Blog
Sarath Geethakumar: Strategy and Standards Needed
Although the focus of security efforts is often on companies, security professionals should remember that consumers are also affected, said Sarath Geethakumar, a security researcher and senior director of information security for VISA.
 
"If you would ask me the top security threat, it would be about my family being able to go shopping and buy bread,” he said. “We're talking about IoT, we're talking about mobile, but nobody's asking what's happening when you're buying gas or your wife is out using your credit card."
 
Geethakumar, co-author of “Hacking Exposed Mobile” and a self-described mobile security enthusiast and “developer by passion,” said "the risk of the unknown is something we can't quantify."
 
Geethakumar said it’s essential for companies to define strategy and governance, establish security standards and guidelines, benchmark security capabilities, and create a risk-based security assessment. Maintaining security architecture and frameworks and secure development standards are also important, he said.
 
Companies should build security into every aspect of their systems. And basic hygiene is essential. “You have to set the standard that you’re going to meet and follow these guidelines. We should be able to benchmark security processes.  We need to establish security processes. We need to have secure software,” Geethakumar said.
 
Geethakumar agreed with Cigital CTO Gary McGraw that you can’t walk in and tell developers that “their code is crap.” Rather, he said, “You need to build security champions within the organization.”
 
Recent security breaches have struck large enterprises, retailers, manufacturers, and more, including Target, Neiman Marcus, Home Depot, PF Chang, Community Health Systems, and
 
JP Morgan Chase. The reasons behind the breaches range from problems with third-party software providers and Web application vulnerabilities to missing patches and phishing and targeted attacks.
 
Geethakumar says the same vectors—malware, phishing, and drive-by downloads--are being used again and again. In their wake, the exploits reveal weak security architecture, weak secure software development, a lack of vulnerability management, and nonexistent security monitoring.
 
In that environment, there’s no such thing as “absolute security.” Tellingly, said Geethakumar, most organizations affected by breaches were compliant with regulatory requirements. "It's inevitable that there's going to be one person in your organization to get into your organization," he said.
Panel: Is There Any Hope for Ending the Arms Race?

Cybersecurity executives on the Rock Stars of Cybersecurity panel agreed that we’re living in frightening times. But they differed on how best to fight the cybersecurity battle, as well as how big a problem it is.

When queried by moderator Josh Greenbaum, panelists said there’s no shortage of things that keep them up at night. “You can throw as much perimeter security as you can, and something’s gonna get in. It’s gonna get in,” said Dave Martinez of Guidance Software. “What keeps me up at night is the remediation—fixing it and making sure it doesn’t spread.”

Gus Hunt, former CTO of the US Central Intelligence Agency, said that this is the first time in the history of the world that “frictionless weapons systems” can be quickly launched. “Previously it took time to develop these things. That has changed. This is what scares me most about the era that we’ve entered, and therefore I get no sleep.”

And yet, pointed out Will Hurley, founder of Chaotic Moon Studios, companies often dedicate “only minimal effort” to fighting cybercrime and educating employees to follow procedures to protect networks and other assets. In addition, he said, “There’s a fundamental problem. There is nothing to protect you from attacking your infrastructure.”

David Rockvam, Vice President of Entrust, said “a lot of companies are in possession of some very good security technologies.” But that only goes so far when “anybody can stand up a domain and start pointing traffic to it.” One solution, he suggested, would be to “provide more of a guard rail” to accessing the Internet.

Whurley said failing to deal with cybersecurity threats could have a bad effect on technological progress. “With these security concerns, my fear is we’ll start to sift the adoption of technology if we don’t start educating people about security,” he said.

“I agree with the premise that you can’t patch stupid, but I think there’s a way you can engender security awareness in a company,” said Rockvam. “Everyone in this room is probably in firefighting mode at some time. The more you can control the things you can control the better off you’ll be.”

Hunt agreed that training is important. But he said, “No matter how much training there is, somebody’s still going to click on the Bowling with Elves thing that someone snuck in.”

Saying there’s “too much hyperbole and not enough rational thinking,” Hunt noted that cybercrime costs the US economy $100-$150 billion (about 0.7 percent of the Gross Domestic Product), compared with inventory shrinkage (aka theft), which costs $280 billion (1.4-1.9 percent of the GDP). The strategy that has worked with reducing inventory shrinkage—such as RFID tags and requiring customers to check in with clerks before trying on clothes—is aimed at making theft more difficult.

Most panelists agreed that without punishment for cybercrime, the arms race will continue. “This is seen as a victimless crime. There’s not enough legislation on how to deal with it. It’s a profitable business,” Whurley said.

 

 

DHS's Peter Fonash: ‘Weather Map’ Can Strengthen Cyber Ecosystem
If companies and organizations want to win the war on cybercrime, they’ll need to become more organized, said Peter Fonash, Chief Technology Officer of the US Department of Homeland Security, at Rock Stars of Cybersecurity in Austin Wednesday.
 
“The adversaries right now are winning. We’re losing the war right now,” said Fonash. “They’re very organized.”
 
What makes things difficult, he said, is there are many points of entry for cybercriminals and many different types of attacks. Attacks range from insider attacks, data and policy corruption, code manipulation malware, worms and viruses, to backdoor implants and physical destruction.
 
“The Target breach got in through the supply chain. You not only have to protect your own networks but you need to make sure the vendors you deal with have some level of cybersecurity,” Fonash said.
 
The cyber ecosystem is global, evolving and includes government and private sector information infrastructure; the interacting people, processes, data, information and communications technologies; and the environment and conditions that influence their cybersecurity.
 
There are also different types of cybercriminals. “We really have many types of hackers. We have hacktivists and college students, and then we have organized cybercriminals who are very sophisticated,“ Fonash said.
 
The effects of attacks can range from fear, doubt, and confusion to dollar, reputation, and performance losses.
 
“We have many unknown vulnerabilities,” said Fonash. “One problem, however, is that the incidences spread at network speed but our defenses are manual. Lots of times we will take much longer to respond than we should. We’re also hampered by a lack of information sharing between systems.”
 
To resolve many of those issues and uncertainties, Fonash recommends a “weather map,” which creates situation awareness through information sharing, big data analytics, and collective action based on that shared information.
 
Weather maps inform and facilitate a collective automated response. The common situation awareness is based on real-time information sharing. Collaborative automated courses of action are based on common awareness and trust.
 
Fonash said Weather Map 1.0 is currently in existence, but there are still some visualization and skills shortage issues to resolve. He estimates that full implementation is still three or four years out.
 
Fonash acknowlwedged that weather maps are a response to security threats rather than a means of becoming aware of potential attacks. 
A Cybersecurity Strategy is Essential, Says IBM’s Peter Allor

The year 2011 was credited as “the year of the breach,” with SQL injection incidents the most common. By the following year, the number of incidents had increased by 40 percent, with DDOS and third-party problems the most common. By 2013, there were more than 500 million incidents.

The most targeted industries are manufacturing, finance and insurance, information and communication, and health and social services, said Rock Stars of Cybersecurity speaker Peter Allor, security strategist at IBM. And misconfigured systems or applications are responsible for most vulnerabilities.

“In reality, we’re not any less secure in the cloud,” he said. And yet, “most organizations don’t have a risk strategy. They’re aware they should have one, but they don’t.”

The 2014 US State of Cybercrime Survey found that most organizations don’t take a strategic approach to cybersecurity spending. President Obama started the conversation with Executive Order 13636, which tasked organizations with improving critical infrastructure cybersecurity.

In addition, CISOs’ roles are evolving as they take on more authority and accountability. An IBM study documented three distinct types of CISOs: influencers, protectors, and responders.

There are also a variety of approaches to implementing a cybersecurity framework. There are five main types of security risk frameworks: domain, process, smart architecture, organizational, and sectorial. The National Institute of Standards and Technology’s Cybersecurity Framework covers five core functions: Identify, Protect, Detect, Respond, and Recover.

“Risk frameworks are all about how we’re going to get there. Pick one or make your own,” Allor implored attendees to Rock Stars of Cybersecurity. “Because the threats are going to be out there.”

New Speakers Added! Last Day for Early Registration

New speakers have been added for Rock Stars of Cybersecurity, Sept. 24 in Austin, Texas. If you register by the end of the day, you can save up to 30 percent off registration for a full day of speakers, networking, lunch, and more.

Tim Helming, Director of Product Management at DomainTools, has over 13 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At WatchGuard, he helped define and launch some of the best-selling SMB security appliances in the market. At Symform, he led definition and messaging efforts for that company's unique peer-to-peer cloud storage solution.

Gus Hunt, former CTO at the US Central Intelligence Agency, serves as president and CEO of Hunt Technology LLC, a consulting company focused on strategic IT planning, IT effectiveness and efficiency, cybersecurity, data-centric protection, and the cloud. As CTO of the CIA, he set the IT strategic direction and future technology investment plan, and was the motivating force behind the agency's decision to acquire a copy of both the Amazon cloud and IBM's Watson.

Brian Kenyon, Vice President and Chief Technology Officer at McAfee, is responsible for leading an engineering organization focused on developing comprehensive security and compliance for enterprise organizations. His team designs solutions as well as addresses crisis situations in support of some of the world's largest IT infrastructures.

Other speakers at the must-attend conference include:

  • Peter Allor, Cyber Security Strategist - Federal, IBM
  • Peter Fonash, Chief Technology Officer, US Department of Homeland Security
  • Sarath Geethakumar, Senior Director – Global Information Security, VISA
  • Joshua Greenbaum, Principal, Enterprise Applications Consulting
  • Will Hurley, Co-founder, Chaotic Moon Studios
  • Gary McGraw, Chief Technology Officer CTO, Cigital
  • Spencer Mott, Vice President Chief Information Security Officer, Amgen
  • David Rockvam, Vice President, Entrust, and 
  • Brett Wahlin, Chief Information Security Officer, HP.

At Rock Stars of Cybersecurity, you'll come away with a newfound understanding of:

  • The latest approaches to threat response
  • How to secure business operations
  • How to balance cybersecurity and privacy
  • Big data's implications for security analytics
  • And more.
Showing 1 - 5 of 15 results.
Items per Page 5
of 3

Register Now - Need link