Companies with top-notch IT security are still vulnerable to having their networks penetrated and their information stolen as hackers look to hit their subsidiaries, suppliers, and even law firms that don't practice good network defense.
Small subcontractors or law firms can often access the networks and intellectual property of a large firm although they don't necessarily have the security infrastructure of the big firms.
"The bad guys have really switched to things like going after third parties, places where the company's data is stored or manipulated," Richard Bejtlich, chief security officer with the cybersecurity firm Mandiant told Killer Apps yesterday. "That's why we've seen, over the last couple of years, [hackers targeting] law firms. You can't get the data from the original source, so get it from somebody that has a copy or is processing it."
Law firms -- which, ironically, are often the organizations tasked with helping to defend a company's intellectual property -- are "a very target-rich environment, their IT is generally not up to the level it needs to be, the victims themselves are very reluctant to implement any of the defenses that would work against this sort of thing," said Bejtlich. "All the confidentiality and privacy tends to work against seeing what's happening [on a network]. If you tell a law firm partner, ‘Oh yeah, we're going to monitor your computer and see everything that's coming to and from that and everything that's on the hard drive'...that's completely antithetical to their culture; it's pretty much the perfect place to steal data from."
This problem is exacerbated by the fact that so many businesses are connected to each other's networks or have access to each other's information -- over the normal course of doing business -- despite the massive disparity between the best players in the private sector and the business without much in the way of security standards.
Gen. Keith Alexander, chief of U.S. Cyber Command and the NSA, lamented this disparity in the private sector's cyber security standards today.
"We have a problem, especially when you look at different sectors. So the banking industry and the higher-end defense-industrial base are pretty good. They're right there at the top," said Alexander during a speech at a Symantec-sponsored cyber security conference in Washington. "Then you go out to some companies that are getting exploited, and they don't know what the threat looks like, they don't know what they should do. And some of those are in critical infrastructure."
Alexander reiterated his desire to see the private sector -- especially so-called critical infrastructure providers like banks, defense companies, and energy and transportation firms -- adopt cyber security best practices to quickly share information in the event of a cyber attack. Legislation that would deal with these issues, and several more, has been stalled in the Senate since August.
A host of other government cybersecurity officials today echoed Alexander's point about the massive gap in security standards throughout the private sector, even among critical infrastructure providers.
Even in sectors like the defense industry that are better on the whole at implementing security standards, there is massive disparity in security practices.
"We do see some sectors who are in general more sophisticated. Now, if we're talking about the defense-industrial base, what do you mean by that?" said Jenny Menna, acting director of the Department of Homeland Security's Computer Emergency Readiness Team during the same conference. "They're the big companies that we can all name off the top of our heads. But then there are little companies six levels down on the supply chain, and so I don't think there is a consistent posture between the really big guys and the small companies."
She added that, among critical infrastructure providers, banks tend to be "extremely sophisticated. I sometimes refer to them as the AP class . . . Why is that? Because they're protecting their money."
Brian Varine, director of cyber incident management at the Department of Energy, added that banks have high security standards because "they have had tangible loss" when their networks have been penetrated. However, "if I go into your company and I steal all your intellectual property, it's still there, you don't know it's gone ‘til five years down the road and your competitor is kicking your butt because they've taken your product, reverse-engineered it, and produced a bigger, better, cheaper product."
Happy Election Day. Here's your cyber threat of the week.
What's a growing trend among hackers looking to get into firms whose networks are well defended? Hijacking their IT infrastructure and processes to deploy malware.
In one case uncovered in the last three months, hackers developed a fake upgrade to a U.S. based telecommunications company's Internet routers. That upgrade actually contained malware; once the firm's IT staff distributed the upgrade, that malware was pushed to the computers that connected to the company's networks.
"We had an adversary group that was inside of a company -- they had been there for a while -- and we discovered that they had identified the part of the company that did router upgrades," said Richard Bejtlich, chief security officer at the cyber security firm Mandiant.
"What these guys had done is gotten a copy of the image [of the router's software design], they had decompiled it, they had then added malicious features into that router image and pre-positioned it where the IT [administrators] for the company would then copy it out to the [firm's] routers," where they would be free to roam throughout the firm's network.
How did hackers steal the router plans?
"You can get them in two places. One is you can get them from the enterprise itself -- they have their repository of images ready to go -- or if you have a Cisco connection online, you can download it yourself. While it's sort of a niche affair, there are people who specialize in ripping apart Cisco [router] images," said Bejtlich.
Defending against this is relatively simple, he said.
"If you validated the signature" associated with the router upgrade to find out whether it is legit, "I guarantee you'd catch it," said Bejtlich.
While this hack caught was caught just before the company's IT administrators were about to distribute the upgrade, Bejtlich said that other companies are probably not as lucky.
After admitting that the U.S. military has long trailed the private sector in technological innovation, the Air Force Research Laboratory is hoping to set up a program to temporarily swap employees with Silicon Valley giants to tap some of the valley's creativity.
"There are a lot of advances and investigation in the private sector, and it's just hard to keep up when you're not in close communication with the folks that are involved," Jennifer Ricklin, chief technologist at the AFRL told Killer Apps during an Oct. 3 interview. "I'm thinking about tablets and smart phones and the big data issues and cloud computing -- all of these things that are transforming how our society operates and communicates."
(The AFRL is the service's far-out research arm that partners with private companies to develop everything from cutting-edge aircraft engines to new stealth tech.)
Ricklin went on to say that it doesn't make sense for the slower-moving government -- which she described as being set up to buy weapons on an industrial age model not an information age one -- to spend mountains of cash trying to keep up with some of the world's fastest-moving companies when it can simply collaborate with them.
For example, rather than develop its own unique products in mobile and cloud computing, the military should learn how to quickly tweak the latest commercial products to meet the military's unique security requirements.
"We have higher security needs than the average teenager does when it comes to communications tools," said Ricklin. "So we are actually interested in learning as much as possible about the fundamentals that go along with all this information technology and new devices and doing research, perhaps collaboratively [with the high-tech companies], on how we can increase the security so that we could use those [new technologies] on the Air Force side."
"We have a lot of insight into security requirements, and we can share with them some of what we know about that, and in exchange we would be able to have the very latest and greatest but with all of that security already implemented so that it would be suitable for military use," added Ricklin. "We really are trying to position ourselves to get ahead of this bubble" instead of "trailing behind when it comes to these technologies."
So how is this done? Well, since last spring, AFRL officials have been visiting Silicon Valley institutions like Google, Apple, HP, Stanford University, and SRI International to conduct "exploratory talks" about how the military can stay on top of and tap into the R&D these firms are conducting.
The AFRL is looking at everything from personnel swaps to cooperative research projects with both Google and SRI, according to Ricklin.
In the near term, lab employees may soon be able to take advantage of a program allowing them to take a month-long sabbatical to work at a company while being paid by the Air Force. All of this will help foster communications between businesses and the military -- something that disappeared in the decade after 9/11, argues Ricklin.
"Where there used to be an easy interchange between the private sector and the government, it's just so much more complicated," said Ricklin. "Communication's the lifeblood of technology transfer, and it's been pretty well established that ideas move with people much better than they do with paper. You can write a hundred papers but it doesn't often have the same impact as sitting down next to somebody and working with them for a period of time."
The big question is, how much culture shock will employees from the government and tech sides be in for during these swaps?
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.