Cloud and mobile computing are pushing the IT landscape further away from the organization, and an emerging Internet of Things is expanding the surface area of a defensive front already riddled with holes. Any member of an organization is subject to social engineering attacks for which leadership will increasingly be held accountable before an unforgiving public. Today’s cybersecurity trends are evolving at an overwhelming pace, but it’s not a lost cause. The enemy is not an invincible genius — he’s smart and organized, and the key to winning is simply to beat him at his own game.
Here’s a look at some of the biggest trends and what they mean for security professionals, CIOs and government leaders.
The biggest trend in cybersecurity is that IT leaders are losing control of their technology. It’s a trend that obliterates how security has traditionally worked and it can’t be stopped, said John Pescatore, director of emerging security trends at the SANS Institute. There was a time when employees used nothing but vetted equipment and software, but pressure from staff members who want to bring their own devices to the office is changing that paradigm. What’s more, servers and storage that used to be locked up in agency data centers are quickly moving to the cloud. And security professionals are still trying to catch up.
The federal government embraced the evolving cloud and mobile landscape in 2010 when the Office of Management and Budget issued its groundbreaking “cloud-first” policy. Now initiatives like the Federal Risk and Authorization Management Program (FedRAMP) ensure there’s a governance around cloud security. State and local offices are tagging close behind, Pescatore said.
The change has been jarring for some agencies. Pescatore recalls watching then-U.S. CIO Steven VanRoekel describe to a room full of federal officials how the new technology paradigm worked at his former job with the FCC. When the agency needed to verify that wireless carriers were meeting their coverage mandates, the FCC released an RFP for coverage-tracking technology. But when vendor responses proposed multiyear, multimillion dollar contracts, the agency took a different tack.
“Instead, they paid $20,000 to develop an iPhone app, used their Twitter and Facebook feeds to publicize the app, and got the verification data they needed in months — not years — and for tens of thousands — not millions — of dollars,” Pescatore said. But the lesson was in how the room reacted to VanRoekel’s story.
“On one side of the room you had agencies like Census Bureau, Agriculture and many others that were cheering because of the potential for cost reductions and more agility,” he explained. “On the other side, you had the DISAs [Defense Information Systems Agency] and intelligence agencies aghast that such a lightweight, uncontrolled process was used. It was nearly identical to 20 years ago when the Internet first hit business.”
Oversimplification: “You’ll hear people say, ‘Security is really a *blank* problem,’ like, ‘it’s really a people problem.’ Well, so are gambling and alcoholism and so is crime. If you could just get people to stop committing crime, there would be no crime,” said John Pescatore of the SANS Institute. “Nobody ever says, ‘When will bank robberies be over?’” The best people can hope to do is eliminate vulnerabilities, he said. “If people lock their car doors, car theft goes down.”
Attackers are invincible: McAfee’s Scott Montgomery said news coverage — and some industry advertising — dwells on data breaches instead of security successes, creating a false portrayal of the enemy. “Our adversaries and criminals are not omnipotent,” he said. “They don’t have more resources than we do. They aren’t evil geniuses. They’re very, very careful project managers. They manage their projects the same way we do. It’s not like they went to different Ph.D. programs than everybody else. Their responsibilities are easier, therefore they’re able to generate more success.”
Misunderstanding defense in depth: “Many times organizations are using technologies that all use the same defensive approach. So for example, maybe you’ve got a firewall, you’ve got an IDS [intrusion detection system] and you’ve got anti-virus. All three of those use the same fundamental principles to do their job: static rules for policy or detection. It’s just that one’s on the edge, one’s in the middle and one’s on the endpoint,” said FireEye’s Dave Merkel. “Well, that’s not actually defense in depth because an attacker is going to use the effort and same technique to bypass all three of those so you don’t really get any additive defensive capability in terms of seeing an attack you otherwise might miss.” Real defense in depth counts a firewall, IDS and anti-virus as one layer, and then adds a behavioral layer and maybe a data analytics layer, he said. “In each layer in that architecture, we’re using a fundamentally different approach, so the attacker has to use fundamentally different methods to not be detected by them and he has to use three different methods.”
Like the Internet before them, cloud and mobility are genies that aren’t going back in the bottle — the business value is simply too compelling. And user attachment to mobile gadgets will drive growing acceptance of bring your own device policies.
But the new environment reshuffles the deck for security professionals — shifting the focus from prevention to response. Now organizations need plans and technologies that let them rapidly detect and react to threats that the vast IT landscape has made nearly impossible to stop. In February, Gartner analysts Neil MacDonald and Peter Firstbrook published a paper contending that by 2020, 60 percent of enterprise information security budgets will be allocated toward rapid detection and response approaches to cybersecurity. In 2014, that figure is less than 10 percent.
“The problem with most security technology today is that it assumes it’s going to win,” Firstbrook said. “It doesn’t tell you what it doesn’t know, and it assumes it’s always right. And in every major breach that we’ve seen, that’s obviously not been the case.”
Verizon’s 2014 Data Breach Investigations Report shows that it usually takes weeks for an organization to discover a breach, and increasingly, it’s a third party or law enforcement agency that informs the organization that a breach occurred. In many well publicized breaches — like the one in South Carolina’s Department of Revenue in 2012 or Target’s breach last year — detection took much longer than it would have with a more comprehensive cyberstrategy. The flaw of today’s security technologies often is mirrored in the mindsets of security professionals — most organizations have no plan B, Firstbrook said.
Predicting and detecting attacks means shifting an organization’s security mindset from one of what Firstbrook calls “incident response,” to one of “continuous response.” The way that’s accomplished, he said, is by developing a security architecture that integrates prediction, prevention, detection and response.
New cybersecurity architecture requires new technologies, and they probably won’t be cheap. Firstbrook’s report predicts that 40 percent of enterprises will have security data warehouses by 2020, up from less than 5 percent today. Gaining faster response time through big data and mathematical analysis is the new frontier of cybersecurity.
“To do this right, you have to collect a huge amount of information,” Firstbrook said — end-point and network events can generate terabits of data daily. “To be useful, you’re going to have to build this database, or buy this database, that will be able to store at least six months’ worth of data so you can go back and see what happened in the past. And you can also apply what-if scenarios to the data.”
Most state and local governments will struggle to find the funds and talent to do this themselves, Firstbrook said, but as Target and others have learned, refusing to adapt is more costly than investing in a flexible new approach.
As cloud and mobile technologies push the defensive front away from home, a growing number of Internet-connected devices expand the battlefield. According to the International Data Corp. (IDC), the Internet of Things is expanding at a compound annual growth rate of 17.5 percent. If IDC is right, there will be 100 billion devices on the Internet by 2020, each one representing a possible route of attack.
Hacking a network via a microwave oven or through a smart light bulb isn’t just paranoia. White hat hackers are already demonstrating that such vulnerabilities aren’t being thoroughly considered by manufacturers.
“Most folks don’t know a lot about Internet security, but the more things we throw onto the live Internet, the more we’re going to have these problems,” said McAfee’s Scott Montgomery. “The challenge is that there’s no standard, there’s no oversight, there’s no regulation, there’s no certifications, there’s no accreditation.”
Standardization efforts are under way, but there are too many factions, he said. Dell, Intel, Samsung, Broadcom and others formed the Open Interconnect Consortium with the aim of bringing interoperability and scalability to the Internet of Things device industry. Meanwhile, the Medical Device Innovation, Safety and Security Consortium is working on guidelines to protect patients with wirelessly connected pacemakers and insulin pumps.
“I’m not suggesting that one set of standards would cover everyone, but I do believe there is an 80/20 rule, where 80 percent of what’s good for the goose is good for the gander, 80 percent of the time, for 80 percent of the applications,” Montgomery said.
With or without standards, security professionals will need to defend against attacks. To do that, they’ll need to think as creatively as attackers, said Mark Seward, senior director of public sector at operational intelligence firm Splunk.
“The solution is to be able to hire people who have an imagination,” he said. “That’s something I find lacking in customers in general, not specific to any particular segment.” The thing that makes organizations weak is that they depend on vendors to tell them what to do, rather than thinking beyond which product they want to purchase, Seward said.
“If everyone would simply open their eyes and use their imagination a bit more about how the service they have can be used to take advantage of their particular system, I think they’d be better off, and that’s something that’s hard to teach,” said Seward.
Attacks that sound outlandish happen, he said, because it was the attackers who were creative and imaginative enough to think of them first. Opportunities for creativity and imagination will grow along with the Internet of Things.
Is FirstNet Secure?
Could the planned nationwide communications network for public safety agencies also become a conduit for new forms of cyberattack? Some security experts worry that it might.
The First Responder Network Authority’s (FirstNet) system is being designed to allow communication across agencies and jurisdictions, and to let first responders integrate modern apps and devices into their operations. The network’s everyday users will be the National Guard, firefighters, police, emergency and medical technicians, most of whom are not security experts. And that could lead to vulnerabilities, said McAfee’s Scott Montgomery.
He notes that disasters attract opportunistic crooks who take advantage of victims. In the wake of Hurricane Sandy, scammers created fake charity websites, posed as repair men and Social Security agents, and stole property, vehicles and identities. These attacks have become more effective thanks to today’s growing network of devices controlled by non-experts.
“In my information security background, paranoia, suspicion runs rampant,” Montgomery said. “My concern is that attackers will utilize this when there is a significant event. Whenever there’s a tragedy, I see FirstNet networks potentially being really good vectors for this kind of thing, because what will FirstNet be used for? Mudslides, wildfires, earthquakes, tornadoes, hurricanes — a whole range of multistate and national catastrophes.”
But FirstNet Deputy General Manager T.J. Kennedy said the organization’s top priorities are making the network resilient, available and secure. A draft RFP for the network is scheduled for release in early 2015. There also are plans, Kennedy said, to create a security operations center that constantly monitors for threats.
“Security will be designed into all of our radio access networks,” he said. “It will also be designed into our evolved packet core. It will be designed into our service platforms as well as any devices that use the network, so we’re looking at it pretty holistically.”
Mobile technologies and an expanding Internet of Things are making everyone and everything a network gatekeeper. The burden of protecting organizational infrastructure that was once left to experts is now in the hands of every secretary, firefighter or clerk with a smartphone. A security architecture designed to handle failures in attack prevention ameliorates the technology problem, but patching holes in an employee’s brain might be a problem without a solution, and is one for which management ultimately will be held responsible.
One of the fastest-spreading malware attacks in recent history was enabled by unsuspecting users who opened an email promising information about a storm that was ravaging Europe. The Storm Worm, discovered in early 2007, piggybacked on a storm that smashed buildings and power pylons, shut down Germany’s railway system, and killed 47 people across Europe. The worm originated in emails with the subject line “230 dead as storm batters Europe.” People opened the emails amid the chaos, and the worm quickly accounted for 8 percent of all malware infections globally.
Attacks that capitalize on social events are made more effective by today’s growing network of devices controlled by non-experts. Hurricane Sandy left a trail of destruction in 2012, and also forged a path for opportunistic crooks to take advantage of the event’s many victims through avenues like fake charity websites.
As organizations of all types spread their infrastructure across more entry points and outside vendors, it’s critical that leadership does its due diligence — and leaders increasingly are being held accountable for security lapses.
“I think there is a reasonable expectation that when you share your data, no matter who that is with, if there is personal information involved, you should, as a user of a service, understand how that information is going to be used and how that data is retained, stored and destroyed,” said Jayne Friedland Holland, chief security officer and associate general counsel for e-government provider NIC. “The new reality is that you have an obligation to protect that data.”
The 2013 Target breach that compromised millions of credit card numbers and personal records put cybersecurity in the public spotlight. Once initial confusion subsided, people wanted to know why Target didn’t have a chief information security officer on its payroll and why security wasn’t a primary focus of executive leadership. The public felt its trust had been betrayed.
Target CEO Gregg Steinhafel resigned in May and there were previously calls for the company’s board members to be held legally accountable for the breach.
Holland said there’s a huge reputational risk in not protecting data. Making security a cultural focus of the organization is a big part of the solution, she said, adding that her company trains employees to be security-minded from the moment they’re hired.
“You should be doing everything you can to educate your personnel about how to comply with the policies that you have established to better protect those devices from miscreants or from malware,” she said. “Your employees need to understand the significance of that device and what can happen with that device.”
Although the outcome was unpleasant for Target’s Steinhafel, mounting pressure on top-level officials could be an advantage for security professionals, said Dave Merkel, chief technology officer for security firm FireEye.
“It’s a great opportunity to have a conversation with the head of your organization” and ensure that leadership has the right amount of visibility and all the right things are being done, he said. That way, if something goes wrong, leadership will be able to show, at the very least, that they’re not being negligent. “The more senior in the organization you can have your conversations about information security posture and what you’re doing, the better.”
Understanding how an organization’s technology works and what kind of exposure that creates is a crucial first step, Merkel said, and after that, leaders need to understand what vendors can offer. “You have to be a very educated buyer,” he said. “The language we use to describe what products in that space should do is changing and morphing. You have to really talk to vendors and almost interrogate us to make sure that we’re giving a very clear accounting of what we can do and what we can’t do in terms you can understand so that you can map them to your needs.”
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.