I had the pleasure of attending Open Group Conference Boston just two weeks ago. Historically, this conference aims at bringing enterprise architects together from various industries to talk about important architectural issues. This time around, they dedicated track sessions to the security topic. Among other things, I had an opportunity to record a podcast with Dana Gardner, Gen. Harry Raduege, and Jim Hietala on the topic of cyber security.
Cyber security has gained quite a bit of attention in the past year or so. Although the concept has been discussed for almost a decade, the evolving nature of threats has created lots of buzz recently. There are numerous threat vectors and thus, diverse targets. Increasingly, data espionage, identity theft, cyber attacks on the critical infrastructure, denial of service (DDOS), and advanced persistent threats (APT) are coming to the surface. Public and private sectors alike are concerned about the targeted attacks that are aimed at stealing confidential data, which produces a domino effect and harms companies' brand names and operations.
In the past 18 months we have seen many examples and scenarios that highlight the cyber security discussion. For instance:
- Attack on Google’s network — As a Google statement puts it “…A highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google."
- ZeuS spyware attack affected almost 2,500 companies in the past 24 months, including government agencies. The attack vectors were very diverse, but some of the common ones came from emails and social media sites. To date there are almost 74,000 compromised users worldwide with over 90 variants of this spyware spreading.
- In 2009, the Internet Crime Complaint website received 336,655 complaint submissions. This was a 22.3% increase as compared to 2008 when there were 275,284 complaints.
- Shadow criminal networks compromised data from the Indian Defense Ministry, the Dalai Lama’s personal e-mail messages, travel documents of NATO forces in Afghanistan, and multiple command-and-control infrastructures that leverage cloud-based social media services.
- According to the Repository of Industrial Security Incidents (RISI) report, there are 175 confirmed cyber security incidents on critical infrastructure like oil, water, gas, and electric.
Attack vectors are going to increase as organizations embrace mobility, social media, and cloud computing — hence it's time for organizations to get pragmatic about how they design their security architecture. The recent controversy between Research In Motion (RIM) and Saudi Arabia over mobile security is a great example of how governments are thinking about evolving threat landscape and want to gain control and visibility into electronic transactions. Among many things, they should start with:
- Defining a risk baseline — It’s ever more important to understand and model your threat. Organizations should create a profile that includes risk —baseline, acceptable threshold, analysis, and monitoring. Governments are taking keen interest in developing a shared risk baseline where they collaborate with private sectors to come up with best practices. These guidelines can help your organization’s risk strategy.
- Creating cyber awareness and marketing the value — Educating internal staff about cyber risks is equally important. Organizations should remember protecting intellectual data is a people, process, and technology issue. Creating marketing campaigns for not only your internal staff but partners and key stakeholder is a dire need.
- Moving from detection to prevention — Evolving cyber threats demand that organizations become proactive and take action. Hence, intrusion prevention, packet inspection, and whitelisting is a must have in today’s environment.
- Developing situational awareness — A basic tenant of knowing your adversary is knowledge of your surroundings. Organizations should develop a situational awareness model, which includes continuous monitoring, threat monitoring & response, incident management, forensics, application visibility, and threat modeling, to name a few.
I hope you found our roundtable helpful and perhaps your organization can start to brainstorm pragmatic strategies to understand and counter cyber threats.
Do let us know of your thoughts and experiences!