Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/29/2010
06:20 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Are We Missing the Point?

Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?

Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?They deserve to be. It's true that nuclear weapons or biological warfare is much more damaging and could cause greater loss of life, but the likelihood of such an attack is low. When it comes to a cyberattack, the impact is high, the likelihood is high and the ease in which the attack can be performed is high. National security is about managing and mitigating risk, and therefore more attention should be given to these cyber weapons of mass destruction. At the top of the agenda should be better protecting critical information from the insider. There have been a lot of very technical, sophisticated attacks recently, and we sometimes forget that the entry point for most of these attacks is an insider clicking a link or going to a site that they should not have gone to.

When you evaluate a threat, there are many aspects (too many to mention in this posting) that need to be evaluated. Some of the primary ones are clearly impact, likelihood, and ease of which the attack can be performed. Using this as a basis, things become very interesting. While the impact of a nuclear or biological terrorist attack is clearly very high, the likelihood is more in the medium level and the ease of which it could be performed is medium to low. When it comes to cyberattack, the impact is high, the likelihood is high, and the ease is high. Therefore, since national security is about managing and mitigating risk, shouldn't more attention be paid to the cyber weapons of mass destruction and controlling access to our critical information?

If we start to peel back the layers, things become even more interesting based on the overall exposure and scope of the problem. Physical weapons have to cross international boundaries and there are checkpoints that have to be cleared. The three important points to remember are 1) you cannot clearly cross international boundaries with physical weapons without going through physical checkpoints; 2) weapons are illegal in most countries, so clear possession of them could get someone in significant trouble; 3) it is relatively difficult to obtain these weapons.

When you start to apply this to cyber and insider threat, things start to fall apart very quickly. On the Internet there are no international boundaries. An attacker/insider can seamlessly cross boundaries without even knowing they are entering systems located in a different country. Not only are the tools easy (say free) to obtain, but in some countries possessing and use of the tools are not illegal.

There is a lot of legislation being proposed to cover cyber, but are we focusing in on the correct areas. Are we looking at controlling the boundaries and in/out of countries and working on universal laws? Having different laws for different countries makes sense when there are clear boundaries and physical separation, but when connectivity is seamless, that model falls apart. While changing laws can take a long time to perform, there are things organizations can do today to help protect the critical infrastructure from the accidental or deliberate insider. First, identify and clearly control and manage ALL boundaries in and out of your organization. For critical information, air gaps or complete separation should be looked at to better control the boundaries. Focusing on wanted trusted insiders have access to the information.

Second, focus on critical information. Why would your organization be targeted and what information would cause the greatest impact? Who inside the organizations has access to this information and can be targeted?

Third, the entry point for most attacks is the end users. Focus time and energy on protecting and controlling the endpoint, especially untrusted endpoints. Always remember that while it is difficult to stop stupid, with proper controls and focus on the insider, you can limit or minimize the impact of stupid.

We are going to have to deal with this problem one way or another. Option one is to be proactive and fix the problem before it is too late. Option two is to wait for there to be a major problem and fix it in a reactive manner.

Personally, I vote for option one.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5541
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an out-of-bounds write vulnerability in the e1000e virtual network adapter. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service...
CVE-2019-5542
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain a denial-of-service vulnerability in the RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.
CVE-2010-4660
PUBLISHED: 2019-11-20
Unspecified vulnerability in statusnet through 2010 due to the way addslashes are used in SQL string escapes..
CVE-2011-0529
PUBLISHED: 2019-11-20
Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to malformed fields in HTTP.
CVE-2019-10765
PUBLISHED: 2019-11-20
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.