Cyberterrorism and cyberwar are clearly real risks, but understanding the problem is not enough. The next logical question focuses on how we can defend ourselves against these threats. This question needs to be tackled on two levels. The first is how we deal with these issues as a nation that fully participates in global commerce and has its share of both friends and enemies. The second level focuses on what we can do as companies (or as individuals within those companies) that could be impacted by an attack that either targets us or takes us down as collateral damage.
There are many different perspectives on the appropriate response, especially when pondering the cyberwar threat at a national level, but a number of common themes have emerged.
While beefing up the presence of security technologies may seem to be abundantly obvious, bear in mind that some of the environments, such as some of the SCADA (Supervisory Control And Data Acquisition) infrastructure, have fallen woefully short of effective security. In some cases this is because the systems themselves were installed before digital security was a pressing issue. We specify "digital" security here because physical security would have been the top concern in the early days.
But enhancing digital security is not inexpensive and economic resources remain scarce; skeptics consistently remind decision-makers that such costs can be deferred because most of these threats have not yet come home to roost. Nonetheless, the reality of the threat, combined with the insidiousness of the potential impacts, is more than enough to drive most people to action.
"We need to make it a very high national priority to make sure that the systems used in utilities, as well as in the military, hospitals and in the energy sector are as safe as we can make them, regardless of whether they are Internet-facing," said Andrew Jaquith, chief technology officer at Milford, Conn.-based Perimeter E-Security. "We need to make sure the code on those devices has been fully tested, and that we do a good job of finding any flaws and fixing them before [the devices] are released, not after."
The costs associated with taking such action would be in the millions, if not billions, of dollars. But they truly dwarf the social and economic costs of waiting until tragedy strikes. Nonetheless, in a business culture focused on quarterly reports, this case is sometimes difficult to make.
"Companies undoubtedly need to set aside more resources for cybersecurity," said Harry Sverdlove, CTO of Bit9, a Waltham, Mass.-based company that specializes in guarding against advanced persistent threats. "There needs to be a sea change upgrade in these systems and the software that we use to secure them. People may not like the cost, but these threats are company-killers. If your company is taken out through an attack, you could easily end up out of business. And to the extent that their infrastructure is about public utilities, that level of responsibility is higher than business priorities."
Sverdlove recommends that companies begin by mapping out their risk landscape: Where are they vulnerable? What kinds of attacks should they expect, and how should they expect them to be delivered? Is the likely actor a competitor, a rogue state or someone else? Don't forget that the threat could also come from within.
"You look at all the places where the threat is likely to occur and then for each one of those you plan a security strategy that is appropriate to the circumstances," he said. "You can employ different levels of authentication or a trust-based approach. Watch out for vulnerabilities coming from contractors with laptops and other gear that you don't control. Those are often the first systems to be compromised. Some of them won't even know that they are compromised, so you will need to put in place adequate controls and monitoring to see what's going on. There are those who've been compromised and those who don't know they've been compromised. If you were attacked, would you even know that?"
Sverdlove's point about a trust-based approach makes sense to Paul Henry, security and forensic analyst at Lumension, a Scottsdale, Arizona-based endpoint security company.
"Go with a positive model of security," he advised. "That means you define what is allowed to execute in the environment after validating those applications and individuals. That's in contrast to what we do today, which is a negative security model. We try to block everything that could potentially be bad that comes in over the Internet connection, but the threats are evolving too rapidly for that approach to be effective."
Henry points to antivirus as a technology that provides a false sense of security. "There are more than 78,500,000 unique instances of malware floating around out there, according to avtest.org," he said. "How in the world is anyone going to keep up with the signatures to inspect that large of a database? Yet AV is typically mandated in order to meet regulatory requirements."
Although Henry stopped short of saying that antivirus should be discontinued, he sees whitelisting -- a technology his company provides -- as a much more formidable alternative.
"In a whitelisting environment, you have to approve a given piece of software, or even a script, to run in your environment," he said. "Beyond that, you also have to validate that nothing is changed with that piece of software. In other words, the signature needs to be trustworthy. If you've established that, then malware is not allowed to run. It's more work to deploy this strategy. The administrative burden is a lot higher than just turning on antivirus. But the level of security that you get from it is so much improved. Instead, we all too frequently rely on outmoded technologies because they are considered best practices."
Whitelisting has its place, according to Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, a Russian-based security company. But he believes it's a long way from being the proverbial silver bullet. "In many cases, a whitelisting solution makes a lot more sense. But during recon [reconnaissance], the attackers are going to be looking for whitelisting, and if so, they will try to bypass the whitelisting software. The industry is working on new options all the time but nothing is going to be perfect."
SEGREGATE SENSITIVE SYSTEMS
However, a step that will go a long way in protecting critical infrastructure is keeping sensitive systems separated from the corporate network, Schouwenberg said. Connecting systems to a network can vastly increase the efficiency of operation and maintenance, but also opens the door to various forms of intrusion. In the context of critical infrastructure security, Schouwenberg believes this type of efficiency is a luxury we can no longer afford.
"In most circumstances, the industrial control network and the corporate network should be completely segregated," he said. "But if they were to truly air gap these systems, productivity would clearly decline because people on the corporate network typically like to be able to access the industrial control network."
He cited the Duqu worm as an example of malware that tried to exploit the connection between sensitive industrial systems and the corporate network. Discovered in September 2011, Duqu is a computer worm that appears to be designed to gather information on industrial control systems and facilitate attacks against them. A presumed cousin of Stuxnet, Duqu can also pose a threat to any other type of computer network.
WATCH OUT FOR THE QUIET ATTACKS
ESET security researcher Cameron Camp advises channel partners and IT administrators to "watch for the low and slow," as he describes it.
"If you're looking for a guy running through your front door with a club in his hand, you can wait a long time," he explained. "What you're actually looking for is something analogous to a guy walking around your house tapping on one window at a time every day for a week. Sophisticated attackers are not going to make a lot of noise, ever. It is difficult to know when they are there. It's difficult to know how long they are around, and it is difficult to know what information they have access to, and if they are covering their tracks."
Cameron relates the story of a DDoS attack involving a bank that was hit by massive amounts of traffic in an apparent attempt to bring the network to its knees. But while the network defense team was focused on that situation, "the real attack came into the side door when everybody was looking in a different direction," he said.
"You really have to get inside the mind of the attacker and understand what it is that they are after," Camp explained. "They're going to do discovery on your network, so you're looking for uncharacteristic exfiltration -- especially if that exfiltration peaks during nonbusiness hours that are probably business hours in the country to which the data is going."
REINFORCE THE PUBLIC/PRIVATE PARTNERSHIP
There is much to be said for cooperation between governments, corporations and various other organizations that can add value to security discussions, but that's often easier said than done. Companies usually are reluctant to share information on security breaches. Governments have to walk a fine line between overreacting by creating arduous requirements and underreacting by depending on pure market forces to save the day. Think tanks and similar organizations frequently lack the informational resources or are beholden to political institutions.
"It is highly unlikely that we are going to get organizations to tell us about breaches in a timely fashion because of the impact on stock price, reputation and customer confidence," said Steve Durbin, global executive vice president of the Information Security Forum, which was established 23 years ago as a nonprofit organization through which companies could study security-related issues. "So unless there is some fairly stiff regulation around an element, we're never going to get to the bottom of that. And I think that's one of the areas where the government should take a very hard line."
But government taking a hard line does not sit well with Jody Westby, CEO and founder of Global Cyber Risk, a Washington, D.C.-based consultancy. She prefers much more carrot than stick.
"They need to incentivize businesses to make them willing to do more," she said, adding that the opponents are formidable ones. "There are too many criminals out there who have analyzed the legal framework very well. They know which jurisdictions don't have good laws. They know where there is not skilled law enforcement. They know where cooperation is nonexistent. They know where this is not a priority. They know where there are no laws at all. The cybercriminals are taking advantage of the situation and they are winning."
Westby said standards bodies such as ISO (International Organization for Standardization), ITIL (Information Technology Infrastructure Library) and NIST (National Institute of Standards and Technology) do a good job of analyzing current threats and coming up with responses. She recommends that all such responses come in the form of guidelines rather than hard-and-fast rules. "Whenever the government comes up with specific policies, [it] just feeds a whole blueprint to the criminal world," she said. "It tells them what they need to work around."
But Lumension's Henry believes the standards bodies have become less effective in recent years, and that much of that decline is due to tightened budgets supporting those organizations.
"In the last decade the quality has slipped dramatically," he said. "If you go back 10 years ago, you could go to NIST and download a very up-to-date hardening guide for using Windows, for example. As the economy slipped, the relevancy and the timeliness of that information has really gone out the window."
Meanwhile, the discussion continues around potential legislation that can deliver some sort of mandate around the protection of critical public infrastructure.
"At minimum, the legislation needs to set the bar," said Bit9's Sverdlove. "We have to find ways to respect privacy and establish the proper level of authority for management. Without a 9/11-type wake-up call, I don't think companies are going to react as quickly as they need to react. And the average person doesn't realize that when they turn on the faucet, pick up the phone or buy gas at the local service station, there are a whole lot of computers involved in making that happen, and many of those computers are highly vulnerable."
Protecting the nation, and protecting your company and clients from cyberterrorism and cyberwar is a unique initiative. On one hand, it has all the complexity and urgency of military defense. On the other hand, it reinforces the need to think locally, and shore up defenses in even some of the most routine ways. Pulling together a workable partnership that involves the government, the business sector and myriad groups of technology experts will not be easy, especially in the current political climate. But one can reasonably say -- without stretching the truth -- that our well-being, and even our lives, depend upon our ability to pull together for this task.
"I think cyberterrorism is a very real and present threat because it only takes one person to do it," said Bit9's Sverdlove. "One person with a laptop and an ax to grind can do more damage than one single person has been able to do in the past. We can't control them all, and there will always be enemies."
The risk is similar for the cyberwar threat.
"The true test will come when we enter the next geopolitical struggle, which will surely involve cyber [capabilities]," added Kaspersky's Schouwenberg. "There's a lot of talk about cyber right now, but only then will we see where everything stands."
PUBLISHED NOV. 13, 2012