» APT

Threats, Lies and Videotape – a Few Days at the RSA Conference

Posted on March 4, 2010 by John Reno in Main | Leave a comment

I spent the last few days at the RSA conference in San Francisco. I’ve been attending for many years now and there seems to be a growing discontinuity between what’s being presented in the sessions (and the discussions following) and the stories pitched on the expo floor.

One theme that echoed throughout many vendor booths was “we’ve got the latest technology to stop APT threats in their tracks”. Not only is that redundant, but by definition you can’t make a threat go away with technology or anything else short of changing the motivation of the class of attackers. Perhaps some psychological software could be in order. Barring that, strong security processes, well thought-out policies and consistent enforcement go along away towards encouraging attackers to seek out easier targets.

Cloud security was another consistent topic on everybody’s mind. I heard many comments from enterprise security types saying things like “we’ve been doing cloud computing for years, it’s just the name that’s new”. To a certain extent, it seemed that often a contest was emerging – my MVS “cloud” solution in the ‘70’s was better than your VAX deployment in the early ‘80’s. My opinion is that the economic model that the cloud offers (public, private or both) puts new pressure on enterprise security practices and risk management programs (or lack thereof).

A clear example of this is data classification. It’s hard to do well and consistently, so many enterprises ignored it when they could layer on technology in their own data centers. But when you are making decisions about what data to move into the cloud, it really helps to have a clear approach to information classification and thus drive policy decisions and enforcement. The other big risk that didn’t get enough airtime were legal issues. I suppose that’s to be expected at RSA though. My personal guidance on taking advantage of the cloud is that not only should you have a plan for moving there, but make sure you have an equally strong plan to move back again (or to another provider).

I did appreciate the viewpoints from many different stakeholders. Enterprises, tool providers, security vendor and the government were well represented.

Advanced persistent threats – how organizations can keep pace with the growing sophistication of cyber crime

Posted on February 5, 2010 by John Reno in Main | 1 Comment

Threats posed by cyber crime have increased dramatically in the past year. Yesterday the Washington Post announced that Google has enlisted the help of the NSA to combat cyber crime attacks directed at them and other U.S. corporations. While this is sure to generate privacy concerns in the user community, it is more importantly a visible indicator that cooperation is one of the more important factors in combating cyber crime. In fact in the last 6-12 months there has been a rapidly growing informal network of cooperation within the business and IT leadership of major corporations simply to get a handle on how to respond and manage risk in this highly dangerous threat environment. Let’s look and some of the more important ways to manage in this environment and deal with these classes of attacks.
The current reality of cyber crime is that the threat environment has shifted from broad based hacker oriented attacks that posed a primary risk to business availability to targeted operations aimed at specific corporations, particular people in the organizations and key business processes that contain high value data such as strategic plans, source code, intellectual property and acquisition intentions. What should be done? I would recommend aggressive action in several areas:
• Risk management – identify the high impact, high probability risks to the business and focus technology and skilled personnel accordingly.
• Security awareness – the target of these APT attacks are most often executive leadership; make sure they know they are likely to come under attack and prepare a response plan.
• Industry cooperation – realize that these attacks are often state sponsored and backed by significant resources. There are many resources that can be drawn from to exchange information regarding best practices, threats and vulnerabilities. Just couple of examples include the IT – Information Sharing and Analysis Center and Cisco System’s Security Intelligence Center.
• Aggressive and appropriate defense – drive your security program based on risk to your most important assets, monitor outbound and internal-internal communications for signs of data exfiltration and command/control communications and look for both network and host-based indications of compromise.

Click here to read another article titled Worse Than Useless and Some Thoughts on Cyber War