Any CIO who lets his guard down going into 2012 will be making a huge, very huge, mistake. The threat landscape is changing. The actors are varied in their trade and are more creative than ever. According to Richard Clarke, author of the newly released book Cyber War, and former White house adviser to the Bush and Clinton administrations, the new face of cyber crime and the ramifications of impending government legislation will significantly impact how CIOs position their enterprise security program.
Clarke has 19 years experience in the Pentagon, the White House, and the State Department. In a recent industry vendor-hosted webinar, he called 2011 “The Year of the Breach.”
Stories of attacks inundate the news. They end up being tossed into the media blender, revved up like Saturday Night Live’s Super Bass-O-Matic, and spit out like they’re all one type of attack or from one attacker. Clarke points out, “They’re not the same. It’s not all big, bad China, all 1.3 billion Chinese attacking us. It’s important to distinguish among the actors and attacks. You can’t respond in a generalized way to the ‘Year of the Hack.’ You must respond to the specifics of who’s attacking and how you’re being attacked.”
Clarke has come up with yet another acronym, CHEW, to describe the four preeminent types of attacks as he sees them. It stands for Crime, Hacktivism, Espionage, and potentially, War.
It used to be that crime centered around stealing credit card numbers. Now they’re hacking into companies and taking over Accounts Payable. In the Coreflood botnet case, criminals were cutting checks to themselves at offshore banks in the Caymans from medium-sized enterprises for $150,000 and up.
That’s just the most visible example. According to the U.S Treasury, cyber crime accounts for more revenue than international cartel drug income. Estimated income for cyber criminals runs in the hundreds of billions per year.
Examples of hacktivism include Wiki Leaks and political protests using Web application vulnerabilities, SQL injections, and directory traversal. Instead of a money-making endeavor, these have political overtones. They’re meant to politically embarrass corporations.
“Espionage doesn’t get the attention it should,” says Clarke. U.S intelligence communities recently released a document outlining the extent of corporate espionage. He says, "It goes beyond governments spying on governments. It includes people hacking their way into corporations and stealing anything of value such as software code, customer lists, and formulas. It’s hard if not impossible to be competitive if every time a company develops something it is stolen from some overseas criminal then brought to market faster than the rightful owner can release it."
Theft of this nature has developed over time. Incident response firms inevitably find evidence of long-standing penetration during their investigations. These are known as “advanced persistent” threats, because they’ve been lurking in the corporate IT structure.
“Traditional ways of thwarting these attacks like IDS, IPS, AV, token, and certificate authorities are no longer working because the criminals are going after these defense systems. Much of their access is coming through software vulnerabilities," says Clarke.
War is debatable (though the “W” helps make the acronym easier to remember). Clarke admits he’s been accused of hyping it but defends his position by saying that U.S. Defense Secretary Leon Panetta shares his view. Panetta recently revealed that 20 to 30 countries, including the U.S., have formed cyber war units. The Pentagon said that it had established a huge new organization called the Cyber Command comprised of Army, Navy, and Air Force components designed to attack offensively. DARPA is also spending resources developing offensive tools.
Government is waking up to the threats even though it has been slow to smell the coffee. According to Clarke, no legislation has been passed to date although Congress has conducted hearings into the activities ad nauseum. In November 2011, Senate majority leader announced that the legislation would be debated in late January 2012. Republicans are not terribly interested in passing something that contains new governmental mandates.
Importantly, the SEC recently said that if a publicly traded company has been breached in a way that might materially affect the value of its stock it must disclose this publicly. This is a game-changer because it now puts the responsibility of overall security of a corporation’s business squarely in the laps of CIOs.
Think that’s an outside chance? “Every major company has been hit even though they have spent millions of dollars on traditional protection,” says Clarke. He stresses that criminals end up getting in through applications, or third party applications. CIOs must begin insisting that applications are as thoroughly tested as their security infrastructure.
The day may come when a CIO could be fired as easily for not thoroughly testing and not ensuring the safety of their applications as they would be today for not running a firewall, a current anti-virus utility, or operating system backup.
- 7 Stupid Security Tricks
- Four Essential PC Security Sources Every CIO Should Bookmark
- The Rise of Biohackers
- Government Releases “Top 25” List of Hacker Vulnerabilities