NEW BLOG SITE
http://secsystems.wordpress.com
Ken
Ken Pappas is an industry expert in network cyber threats and a global speaker on network security. With the continued rise in cyber crimes Ken provides industry insight to how cyber criminals are making way into corporate networks worldwide. Recognized as one of the leading experts in cyber threats, Ken is called upon by industry analyst and media to provide commentary on various industry breaches. The views and comments posted in my blog are personal views and not those of any employer.
Ken Pappas was interviewed by Enterprise Systems Journal and asked a series of questions regarding new cyber threats and how can security managers stay ahead of it all. Here is the Q & A discussion that we had.
Where should IT focus its attention in protecting network assets, what investments offer the best return, and how can IT to avoid common mistakes when developing its security strategy?
With IT budgets under pressure, it's difficult to adopt innovative security solutions. We look at where IT should focus its attention, where to make investments, and how to avoid the biggest mistakes IT often makes in developing its security strategy.
For insight and perspective, we turned to Ken Pappas, President and security strategist at True North Security www.TrueNorthSecurity.com
Enterprise Strategies: Thus far in 2009, we’ve seen the outbreak of the Conficker worm, continued attacks on Web sites (particularly social networks), and continued network breaches across industries. What do you each see as the top threats to network security for the remainder of the year?
Ken Pappas: More of the same, but more creative and stealthier. Hackers are bright people, they study human behavior and adapt to it. You will see more IP enabled devices that hackers will attempt to break into, not just for data theft but also to disrupt our quality of life.
A recent study from Verizon Business found that more electronic records were breached in 2008 than in the previous four years combined, yet new stimulus legislation is pushing health care organizations to upgrade their medical records to electronic form. How will this affect the security of the health care industry and specifically of the medical records? Won't this result in increased hacking against hospitals and medical offices?
The finding of more records breached I feel is false. Laws today require companies to disclose breaches; in the past, this was not the case. Nobody knows for sure how many records earlier were breached because nobody was counting. Today our laws mandate they be disclosed, and keep in mind not all records breached need to be disclosed. You need to be over a certain threshold as I understand it.
Will the movement to electronic health-care records increase the likelihood of a record breach? Sure. New regulations are requiring that any network that is connected to or accessing health-care facilities must also have the same level of security within its network. This is a step beyond what we previously had. Although I feel we are on the right track, we are not out of the woods on electronic record breaches. They will still occur.
We’ve seen increased attention geared toward the utilities industry and the new Smart Grid. What are some of the potential outcomes threats pose and how does this affect the larger scheme of things -- power outages, government regulations?I can tell you that the reports of power facilities being breached is news that happened a while ago and that our power grids and the networks today running them are very different. I can’t say more, but I am confident that we are not going to see any major widespread power outages in our future. New government regulations have changed the way our power suppliers run and manage their networks, and we have a lot of smart people managing them.
Threats are coming at IT from all directions.
Yes, they are. An argument exists today around inside versus outside threats. Where are most of the threats coming from? Who cares! The fact of the matter is that threats originate both internally and externally. Security needs to address both.
What should IT's strategy be to stay ahead of hackers' next moves and combat all these different entry points, especially given that IT budgets are under extreme pressure lately?
It’s difficult to adopt innovative security solutions when your IT budget is under pressure or when regulations and even your business partners are demanding you have viable security technology in your network.
We understand that older firewall and first-generation IPS [intrusion prevention system] technologies will not protect your networks from tomorrow’s threats. You need to stay current with the newer technologies that are being made available to protect you from tomorrow's threats today.
Where should IT focus its attention, and what tools are "nice to haves"?
I must admit, IT has a tough job and security needs to be considered at all points in the network, tethered and un-tethered. The "end point" is a blur to many of us. Many devices today connect and access data on our corporate networks. Cell/smart phones are part of the network and IT must consider security in any device to protect its network and its data. Although IPS has been around for about seven years, it surprises me that so many enterprise companies either don’t have one or are still using IDS [intrusion detection system] for security. I honestly can’t talk about any security device or technology that I would consider a "nice to have." That decision needs to be made by the CSO in the organization.
It has been struggling having to manage a variety of security tools and technologies, but it is tough (if not impossible) to integrate these tools. Can you suggest a few best practices, along with a tangible real world example, of how organizations can successfully integrate these elements to improve security and effectively maximize their investments?
I could not agree more. I have seen a lot of smart security solutions on the market, but they are all stove-piped and none is sharing the information or learning from one another.I think sharing information is the direction we need to move. The industry needs a Security Eco-System, which is a group of vendors willing to share their logs, alerts and other vitial information with other security platforms in an open format so that one security appliance can learn what another security appliance just learned and possibly take action.
How can IT know it's getting the most for its money or has made the right investments? Is it possible to over-invest in security?
It’s always possible to over-invest in security the same way it’s possible to over-invest in a car or personal insurance. It boils down to what you are comfortable with and what "risk-avoidance" level are you willing to accept. You can also under-invest and leave yourself open to attacks, business disruption and possible fines.
What are the biggest mistakes IT makes in developing its security strategy?
The biggest mistake I believe IT makes is looking at what it presently has in its networks rather than first identifying what they are trying to protect, then going back and determining if what they presently have in their network for security provides the best level of protection. Back in the early 2000s, the big challenge networks were facing was DDOS [distributed denial of service] attacks. Enterprises went out and bought DDOS appliances. Some companies today still believe their networks are protected because they have this DDOS appliance when, in fact, many new threats have entered the market that a DDOS appliance doesn't guard against.
Another area I see within enterprises is their security policy and when it gets reviewed. When I am invited to deliver a security presentation, I ask the audience: “When do you update or review your security policy?” Some say annually, others say quarterly. I tell them that’s the wrong approach and that a security policy needs to be reviewed when they read the media about a breach and ask “Can this happen to us? Are we protected? Do we need to modify our policy?”
The other approach is to watch for new products or technologies entering the market. Ask yourself, “Does our current security policy cover this? Will this introduce new threats or ways to gain access that we have not addressed?” This is why assigning a date to reviewing your security policy will not work in today’s market.
What best practices can you suggest to avoid these mistakes?
Talk to your peers in the industry. Get educated on what technologies are working and are not. Firewalls were good in their day, but let’s face it -- the hackers have figured it all out and now viruses, Trojans, and malicious content are just flowing in. You need more than firewalls today. If you don’t have security specialist on staff, hire one. The days of anointing someone who has worked in IT and whom you now consider your security expert are over.
I’ve spent time with a number of very intelligent IT staff individuals, and I frequently ask: “How do you know you have not been breached?” These individuals have a false sense of network and data security, relying on a firewall, IDS, or older IPS they may have. Since none of these devices has picked up any malicious content, they think they are covered.
I would caution all IT: don’t get comfortable with what you have. Take a look at newer, innovative technology and refresh your security as often and cost effectively as you can. We know costs are important, and we know that IT’s mantra is (or should be) “Protect Corporate Assets and Data,” but that's difficult and daunting task when funding is limited.IT should also not be lulled into thinking they are protected just because they may have received PCI compliance and certification. Look what happened to Hannaford Food Chain! IT needs to be diligent with data security, educating CxO-level management to understand the risk levels if technology is not adopted or implemented in their enterprise.
That was the end of the interview. We at True North Security can assist you with your security challenges. Drop us an email to start building a secure network for tomorrow's threats today at info@truenorthsecurity.com
First of all what should be the most important initiatives the Cyber Command should look to accomplish by this Fall?
I feel the most difficult to achieve is not the security but rather gaining support and trust of all agencies that will be affected by this. I would aim to first win the support of all agencies and have them become stakeholders in the plan, execution, monitoring and success of the new command.
Do we feel that the Government's overall cyber security plan is becoming fractured with all of the different agencies (and leaders) with disparate goals or is there harmony between all of the moving pieces?
Hey it's our government of course! If this is how it's starting out then each agency is going to have its own mini cyber command and disparate systems once more. This is common within US govt agencies. One of the good things that comes out of this however is that the hackers cannot use the same tactics to gain access to ALL agencies. So following a 'standard' for all agencies might not be a bad strategy.
In the end of it all what should be the most important element to the success of Cyber Command? Funding? Clear vision? Resources? People?
I think they are all important but the priority and sequence is most important. First selecting the right people to undertake this task should come before anything else. Then comes the vision, then strategy how to execute then funding.
"Cyber attacks" has been a subject brought up with the Cyber Command and also by the UK's cyber security head; do we think this should be a prominent and public goal of any government cyber initiative?
Duh what is the Goal? I don't think anyone has figured this out yet. Hence a vision needs to be made and bought in. What are we protecting and from who? Does data loss not fall under cyber attack? Is the Cyber Command so short minded that they are only thinking of bad guys from the outside? Maybe I am needed in Washington. Obama please call me ;-)
And where and what is the most pertinent cyber threat to the United States today?
Depends if you are asking about the ones we hear about or the ones they don't want use to know about? I' ve presented at many different forums around the world and my biggest fear is not that a hacker or someone with computer skills is going to steal data, it's those individuals that can possibly come together, target a country, and take down it's infrastructure that we have become so dependent on.
The Dod Cyber Command is something I truly believe needs to come together and I am glad that we have a President that is thinking ahead on this threat.