Cyber threats are accelerating. There are plenty of security solutions out there, to be sure. But the bad guys are proving far superior at sharing intelligence and forging alliances to defeat these systems. They are executing intrusions, stealing data and carrying out Internet-enabled cyber scams on an unprecedented scale.
That was the core thread that ran through Internet security conferences I attended around the country in 2008.
If we define the good guys as corporate users of the Internet, tech security vendors, and government regulators, then clearly the good-guys are falling farther and farther behind. The good guys are not sharing intelligence, not forming partnerships, not collaborating, at least not to the degree necessary. In short, there is no first-line, unified defense to speak of.
That’s essentially the conclusion of the Center for Strategic and International Studies’ (CSIS) bi-partisan committee that hammered out this state-of-cyber-security report to President-elect Obama.
Is Defense in Depth a myth?
At one conference, I heard Jennifer Bayuk, former CISO at Bear Stearns and author of the ISACA compliance guide, Stepping Through The InfoSec Program, make a strong argument that “defense-in-depth” is a myth. Defense-in-depth is the oft-repeated mantra of tech security vendors. It assumes the obvious — that “there is no silver security bullet” — and advocates the use of layered defense systems: firewalls, antivirus suites, encryption, intrusion detection, patch management, blacklists, whitelists, or whatever flavor-of-the-month security product or service that comes along.
Bayuk contends that we’ve arrived at the point where adding more complexity to defenses actually weakens security. Speaking at a Nov. 19 tech security workshop put on by I3P at the University of Virginia, Bayuk asserted that relying on a patchwork of security systems too often can lead to dismissal of the imperative to bake security into one’s core business model.
I’ve heard experts from the military, the financial services sector, tech security vendors, the federal government and academia discuss how efforts to deter virulent, cascading cyber intrusions are, at best, fractured and disjointed; no one is really trying to systematically measure the rising “pockets of badness” on the Internet, as fellow journalist and Security Watch blogger Brian Krebs puts it. The upshot: things are certain to get a lot worse before they get better.
“We’ve been too caught up in crises of the moment without focusing on a vision for the future,” George Foresman said in a keynote address at the I3P workshop. Foresman is the former Under Secretary for Preparedness at Homeland Security.
He told me he believes a “Cyber Katrina” seems inevitable, likely followed by government regulation to compel the private and public sectors into making the Internet safer.
Here’s my take: Cyber Katrina is upon us. We’re in the eye of the storm where things seem seductively becalmed. The reality: cyber chaos is swirling all around us. A cyclone of news developments and security reports convey the extent to which cyber intrusions are spiraling out of control, with little sign of abating anytime soon.
Consider that once smug Mac-o-philes have become uncharacteristically silent about Macs’ supposed invincibility, now that Apple has begun encouraging them to subscribe to anti-virus protection, just like everybody else. Windows users, meanwhile, must remain vigilant as ever keeping up with Microsoft security patches. On Patch Tuesday this month, the software giant issued fixes for a record 28 vulnerabilities, 23 of them critical, then followed up by issuing its second emergency patch in three months.
Threat metrics
My email inbox is inundated with reports and surveys attesting to the cyber onslaught. The fellows over at the Anti-Phishing Working Group say the number of websites tainted with malicious code designed to steal your data and turn your machine in an obedient bot continues to spike. “Cyber criminals continue to increase their activities to levels never before seen,” says Dave Jevans, APWG chairman. “As the economy degrades, we are seeing a continual increase in malicious and criminal activity on the Internet.” Here are more proof points:
- Sophos says it is finding one new infected webpage every 4.5 seconds–more than three times faster than in 2007, and is discovering five times more malicious email attachments today than at the beginning of the year.
- Cisco reports that disclosed vulnerabilities grew by 12 percent in 2008 vs. 2007 and that attacks are becoming increasingly blended, cross-vector and targeted. Cisco researchers saw a 90 percent growth in threats originating from legitimate domains, nearly double what was seen in 2007.
- IBM ISS reports that during 120 days (through the end of November) it tracked a 30 percent increase in network and web-based “security events,” with the total number rising from 1.8 billion to more than 2.5 billion worldwide per day.
- Finjan reports that cyber criminals are using new tools to automate the process of spreading infections within big online ad networks.
- Symantec says fraud spammers are mimicking subject lines of legitimate merchants to drive consumers to infected websites.
- McAfee researcher Francois Paget has discovered 20 or so web sites put up to recruit reshipping and money laundering mules, a new wrinkle to the cyber mules trade, which we examined in this 2005 cover story.
- The Retail Industry Leaders Association’s Current Crime Trends Survey found retailers across the nation experiencing a 76% increased in “financial fraud,” much higher than the 61% increase in robberies and 53% increase in burglaries. No doubt part if not most of the spike in fraud was Internet-enabled, ala the Hannaford Brothers grocery store chain data heist.
- Application Security Inc.’s recent security review of databases at 179 organizations found 56 percent suffering at least one data breach in the past 12 months.
Given these gloomy metrics, is there any reason to hope this cyber cyclone can be subdued? Vint Cerf, the man most often referred to as the father of the Internet, painted a dark scenario in this recent Guardian interview. When it comes to Internet security, “it’s every man for himself. . .in the end it seems every machine has to defend itself.”
But Foresman, the former DHS preparedness honcho, sees reason to be optimistic. He puts his hope in emerging leaders, like Janet Napolitano, rising to the fore and making the most of bully pulpits. Napolitano will have an “opportunity to introduce a holisitc approach” to making the Internet more secure, Foresman told me.
Let’s hope she and others lead the way and do just that. Adopting the the theme of hope, I plan to blog more directly to the tech security community, in a fresh way. I will leave the deep technical analysis to others. However, every day I hear great intelligence and see examples of laudable initiatives from all corners of the security landscape. I will strive to make this blog a venue for sharing useful insights, connecting dots, raising public awareness and moving the discussion along in a productive way.
–Byron Acohido
