Cyber Security News / Security Talk Column

The Good Old Days of Cyber Security

Advanced Persistent Threats (APTs) are proving traditional cyber attacks (viruses, malware, etc) outdated, according to Larry Clinton, President & CEO of the Internet Security Alliance.

September 1, 2013

Each minute in 2010 there were 45 new viruses created, 200 new malicious websites established, 180 personal identities stolen, 5,000 new versions of malware created and most importantly, 2 million dollars lost. That is what Larry Clinton, President & CEO of the Internet Security Alliance (ISA) calls the “good old days.”

According to Clinton, the alarming, but traditional attack methods that were causing such damage in 2010 can be considered outdated compared to the newer attacks of today called the “Advanced Persistent Threat,” or the APT.

ISA is a multi-sector trade association with membership from most of the major industry sectors. 

In 2008, ISA published its Cyber Security Social Contract, which articulates a market oriented, incentive based model as an effective sustainable model for improving our nation’s cyber security. The Contract is both first and last source cited in the Executive Summary of President Obama’s Cyber Space Policy Review.  

When the Obama White House issued its executive order on cyber security earlier this year it essentially adopted the ISA’s Social Contract model.

APT is not only well funded, Clinton says, but it’s also well organized, highly sophisticated and it targets vulnerable people more than vulnerable systems.

Clinton adds, “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains or trains loaded with lethal chemicals, contaminate the water supply or shut down the power grid across the country. Attackers could also seek to disable or degrade critical military systems and communication networks. The result could be a cyber Pearl Harbor; that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”

These facts, of course, beg the question, if this is such a big problem, why hasn’t it been solved?

According to Clinton, and previous columns by SecurityPublisher Mark McCourt,  one problem has been that policy makers have been thinking of cyber security primarily as a technological problem, when in reality it is an enterprise-wide risk management issue. Technology only tells us how attacks occur; economics tell us why attacks occur. Considering technology without considering economics is as misguided as thinking of economics without technology.

“For example, economists have long known that liability should be assigned to the entity that can manage risk,” Clinton says. “Yet everywhere we look we see online risk allocated poorly…people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code. We find that misplaced incentives are as important as technical design…security failure is caused at least as often by bad incentives as by bad technological design.

“Moreover, there has been a misconception that increased security is good business. That is clearly true to a certain extent However, in the digital business world there are major economic incentives to deploy insecure systems and processes,” Clinton notes. “For example VOIP is basically less secure than traditional telephony, but businesses have deployed it widely for the massive cost savings. The economics driving these unsecure decisions are overwhelming.”  

“Making the business case for security could be a challenge – no one wants to pay their insurance bill until the building burns down,” Clinton says. “And the challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices and demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.”

Even with all these problems there still seems to be some light emerging at the end of the tunnel. To begin, there is growth toward businesses taking an enterprise-wide cyber management approach to cyber security. In 2008, according to Clinton, only 15 percent of companies ISA surveyed had enterprise-wide risk management teams for privacy/cyber. In 2011, 87 percent of companies had cross organizational cyber/privacy teams. Some major firms are now including ISA Financial Risk Management in their enterprise programs, which are also being used as the foundation for the Enterprise Risk Management process that will be part of the voluntary program that the Obama Administration is creating under its Executive Order on Cyber Security.

In addition, there are now numerous books and pamphlets and websites to assist enterprises in their fight to become more cyber secure. One such document has just been published by ISA on how to fight the APT on a smaller budget.  Among the tips provided are Corporate due diligence: enforce the “Need to Know” rule, encrypt everything in transit and at rest (i.e. the iPhone), with foreign travel use throw-away laptops, label all documents and e-mail with the appropriate data classification and upgrade to the latest operating systems. systems.

What is your enterprise doing? Let me know, ritcheyd@bnpmedia.com   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Diane Ritchey

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13