A number of recent industry articles have caught our attention lately – all highlighting the serious inadequacies of current security approaches and underscoring the need for fundamental and far-reaching changes. Here are a few of our must-reads for the week:
Unlike many cyber hacks that pick their victims at random, instigators of APTs carefully choose their targets – defense contractors and financial firms are prime examples – and wait patiently for just the right moment to strike, writes Ben Worthen of the Wall Street Journal.
In dissecting an APT, it’s clear that the attacker follows a series of phases before taking off with valuable intellectual property and other business-critical information (and in many cases, continuously exfiltrating information over time).
The bad guys are good – really good, in fact – and it’s virtually impossible to stop every APT. But there are ways to minimize the risks. Worthen explains that when it comes to APTs, a perimeter-centric security model simply won’t work. He also notes that although APTs are extremely stealthy, they still leave tracks. “While it is hard to detect an APT, it is comparatively easy to find out how and when an attack occurred after it has been identified,” writes Worthen.
But the question remains: what about those attacks that can’t be recognized and identified?
Last week, the FBI executive assistant director and top “cyber cop” Shawn Henry offered a sobering view of our nation’s current ability to keep cyber attackers at bay. “We’re not winning,” he said in one of his final interviews before resigning after more than two decades with the bureau. His comments come as Congress reviews two competing plans to help protect critical U.S. infrastructure.
According to the Wall Street Journal report, too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking or the costs they may have already suffered unknowingly by operating vulnerable networks.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' Henry said.
“We've been playing defense for a long time… You can only build a fence so high, and what we've found is that the offense outpaces the defense, and the offense is better than the defense,'' he argued. A new approach to cyber security – from technology to processes to people – is absolutely critical.
Richard Clarke, who served three U.S. presidents as counterterrorism czar, has an urgent message for our nation: we are defenseless against today’s advanced cyber attacks that could easily bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system. In a sobering interview with Ron Rosenbaum of Smithsonian, Clarke paints a bleak picture – a nation totally vulnerable to cyber attacks that is primed to conduct an offensive cyber war without having any defensive plan of action in place.
In this riveting Q&A, Clarke reveals his personal belief that the U.S. is taking a dramatic offensive strategy – utilizing the infamous cyber worm, Stuxnet. In fact, Clarke boldly opines that the United States government was responsible for the Stuxnet attack.
Clarke is quoted as saying, “My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can’t compete.”