Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/29/2010
06:20 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Are We Missing the Point?

Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?

Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?They deserve to be. It's true that nuclear weapons or biological warfare is much more damaging and could cause greater loss of life, but the likelihood of such an attack is low. When it comes to a cyberattack, the impact is high, the likelihood is high and the ease in which the attack can be performed is high. National security is about managing and mitigating risk, and therefore more attention should be given to these cyber weapons of mass destruction. At the top of the agenda should be better protecting critical information from the insider. There have been a lot of very technical, sophisticated attacks recently, and we sometimes forget that the entry point for most of these attacks is an insider clicking a link or going to a site that they should not have gone to.

When you evaluate a threat, there are many aspects (too many to mention in this posting) that need to be evaluated. Some of the primary ones are clearly impact, likelihood, and ease of which the attack can be performed. Using this as a basis, things become very interesting. While the impact of a nuclear or biological terrorist attack is clearly very high, the likelihood is more in the medium level and the ease of which it could be performed is medium to low. When it comes to cyberattack, the impact is high, the likelihood is high, and the ease is high. Therefore, since national security is about managing and mitigating risk, shouldn't more attention be paid to the cyber weapons of mass destruction and controlling access to our critical information?

If we start to peel back the layers, things become even more interesting based on the overall exposure and scope of the problem. Physical weapons have to cross international boundaries and there are checkpoints that have to be cleared. The three important points to remember are 1) you cannot clearly cross international boundaries with physical weapons without going through physical checkpoints; 2) weapons are illegal in most countries, so clear possession of them could get someone in significant trouble; 3) it is relatively difficult to obtain these weapons.

When you start to apply this to cyber and insider threat, things start to fall apart very quickly. On the Internet there are no international boundaries. An attacker/insider can seamlessly cross boundaries without even knowing they are entering systems located in a different country. Not only are the tools easy (say free) to obtain, but in some countries possessing and use of the tools are not illegal.

There is a lot of legislation being proposed to cover cyber, but are we focusing in on the correct areas. Are we looking at controlling the boundaries and in/out of countries and working on universal laws? Having different laws for different countries makes sense when there are clear boundaries and physical separation, but when connectivity is seamless, that model falls apart. While changing laws can take a long time to perform, there are things organizations can do today to help protect the critical infrastructure from the accidental or deliberate insider. First, identify and clearly control and manage ALL boundaries in and out of your organization. For critical information, air gaps or complete separation should be looked at to better control the boundaries. Focusing on wanted trusted insiders have access to the information.

Second, focus on critical information. Why would your organization be targeted and what information would cause the greatest impact? Who inside the organizations has access to this information and can be targeted?

Third, the entry point for most attacks is the end users. Focus time and energy on protecting and controlling the endpoint, especially untrusted endpoints. Always remember that while it is difficult to stop stupid, with proper controls and focus on the insider, you can limit or minimize the impact of stupid.

We are going to have to deal with this problem one way or another. Option one is to be proactive and fix the problem before it is too late. Option two is to wait for there to be a major problem and fix it in a reactive manner.

Personally, I vote for option one.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...