HACKERS now pose more of a threat to world security than nuclear weapons -
Recent attacks and daily coverage of cyber-threats got me
wanting to watch one of my all-time favorite movies, ‘Die-Hard 4.’ Almost nine years ago, it introduced the term
‘fire-sale’ to the masses. More on this
later….
Coverage of the ‘lone-wolf’, with expected focus on
traditional terror vectors, underplays the potential damage from
cyberterrorism. Here, I’m not talking
about state-sponsored, direct or indirect, but from the individual. But the attack won’t come through the front
door, the area of most focus. It will come
from the inside, and traditional perimeter security tools won’t offer
protection. Even newer tools offering
interior protection will be hard pressed to combat a radicalized individual
who has slowly moved up through the organization and now has the keys to the
kingdom. How to combat?
Segment It to Save It
At the Gartner Data Center I&O Management Conference
this week, Theresa Payton, former White House CIO, did an excellent job of
describing current threats and some harrowing statistics.
- 78% of cyber attacks start with tricking the user
- Almost 100% will click on a phishing email
- 50% will open attachments if they look relevant, such as:
- Create target list from attendees
- Select source of email from agenda, and attribute to someone important
- Use known phrasing and lingo. Add urgency.
- Package trojan within and name ‘Notes from Meeting’ or some other relevant topic.
- Send.
The first step is therefore awareness, and a change in
behavior that won’t happen overnight (and I’m the first to admit that many
times I’ve come close to hitting ‘open’), but as I mention above, this won’t
protect against a trusted insider. The
same tools used to radicalize individuals can also be used in the opposite way,
helping them build expertise in gaining trust.
This requires more sophisticated ways to protecting data
from the inside, not simple and implying an even greater level of control. The days of ‘superusers’ may need to come to
an end, with two-party control the rule.
True role-based access will need to filter down from the Fortune 500
into the smallest of enterprises. Her
suggestion was to start slow, selecting the few critical pieces of data that
can’t be compromised at any cost. She
used the example of the presidential calendar, now split between five
databases, and only aggregated within the Oval Office.
The watchword was ‘segment it to save it,’ while including
controls that will identify any out of the ordinary behavior. The natural extension of this is a background
process that checks all actions against known per-user heuristics, a curve of
sort, flagging anything that looks wrong.
A new security abstraction layer.
Of course this begs the question ‘who watches the watchmen?’ Not insurmountable, but something else to
worry about.
Back to Die-Hard.
I’m always amazed by how Hollywood portrays government IT
infrastructure. The National Data
Administration. Nice. The Homeland Security NOC. I want one.
Right out of Terminator. When I
was in the military, a primary backup site for the US Government looked like a
school room, and for those who remember Desert Storm, it was laptops in trailers.
To the industry’s credit, we’re getting better at portraying
IT and hacking, as detailed in a recent Atlantic article, Hollywood
is Finally Starting to Get Hacking Right.
And something I had forgotten. The baddie was Maggie Q. From the movie, and from a dinner a few
years back just north of Toronto.
