United we stand: Combined approach beats threats
One night, someone was trying to compromise computers at a New York agency and make them part of a bot network.
After a computer worm had infected several PCs at the agency, the compromised desktops tried connecting to an infected system on the internet. The state's firewall blocked the connections to that host – a computer at a university, which administrators later discovered was a controller for a network of some 7,000 PCs worldwide.
Within a few weeks, a pattern emerged. Through the Multi-State Information Sharing and Analysis Center (MS-ISAC), four other states reported incidents with networks of compromised computers, also called zombies or bots. According to some experts, bot networks have risen markedly in the past six months.
Once robot programs are covertly installed on machines, cybercriminals can remotely control networks of PCs to carry out a variety of attacks without end-users' knowledge.
In this instance, the information sharing among affected states allowed the MS-ISAC, in which a total of 49 states and the District of Columbia participate, to go on the offensive, recounts William Pelgrin, the organization's chairman and director of the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC).
The group issued alerts and liaised with federal officials to tackle bot networks, including collaborating with ISPs and developing guidelines for identifying and remediating bot networks.
"We want to make sure companies don't just ignore this, because we see more and more of these coming down the pike," says Pelgrin.
Mounting numbers of bot networks are just one of the threats Pelgrin foresees in 2005. He is also concerned about zero-day attacks that can strike before patches are available, increasingly sophisticated phishing scams, remote workers unwittingly bringing viruses into the network, and insecure wireless systems. Other infosec professionals share his apprehension.
"My anxiety closet currently includes a mixture of next-generation threats and some of our old favorites," says Jeff Klaben, senior manager of enterprise architecture and global information security at Applied Materials. "The preponderance of new attack vectors such as bots, malicious image files and phishing, concerns me because I cannot always be sure that I – or my vendors – can mitigate so many new threats in a timely way."
Top concerns for 2005
Enterprise managers have good reason to worry, according to market-research firm Gartner. It predicts that cyberthreats will remain constant over the next few years, including spyware, phishing, zero-day attacks, spam – and its instant-messaging version – spim, identity theft, hybrid worms, and insecure wireless LANs that can lead to loss of confidential data.
As well as these looming threats, infosec executives foresee a number of other issues ahead, including regulatory pressures, the need to tie security to business needs, and the growing importance of identity management with the perimeter becoming less distinct as companies open up their networks to customers and partners.
"It's providing that additional openness that supports our business mission while also providing more security," says Steve Mori, information systems security director at Autodesk, a global digital design and content company based in San Rafael, California. And the stakes are higher because of regulatory compliance requirements, he adds.
Market research firm the Radicati Group sees several upcoming trends as companies try to protect their networks in a rapidly changing environment. Enterprises will shift from point solutions to appliances that are able to integrate multiple functions, such as anti-spam, anti-virus, and encryption, it predicts, and also deploy more email encryption technology.
A unified front
From his perspective, Pelgrin believes that collaboration such as that of the MS-ISAC will go a long ways towards protecting organizations from zero-day attacks and other threats. The group, which was formed about two years ago, meets annually in person and monthly via phone to share security information and intelligence.
In addition to developing a standard approach to incident reporting, it set up a secure interactive map on the US-CERT portal, where states enter data to indicate their cyberthreat level. The map includes threat details, remediation data, and 24-hour contact details for state officials to call in an emergency.
"When you're talking a zero-day threat, it's there before you know it," says Pelgrin, who also chairs the New York State Public/Private Sector Cyber Security Workgroup. "By knowing who you can contact when it occurs, we can pull together very quickly."
He is proud of how the group rapidly mobilized for a physical threat that fortunately didn't come to pass, but which would have had serious consequences. Another time, the MS-ISAC investigated a situation involving a compromised machine controlled from an online chat room. As it turned out, the incident unearthed compromised systems in seven states and three countries and led to a suspect. The case is still under investigation, but Pelgrin is hopeful it will lead to a prosecution.
Minding your business and end-users
Aside from collaboration, user education is key to foiling phishing scams and preventing zombie networks, believes Pelgrin. For its part, New York conducts ongoing training, with a range of levels tailored for different types of staff.
"We've done a better job at educating people about infosec issues, but there are still so many people who believe it isn't their responsibility," he says.
"It's everyone's responsibility. The only way we'll have a chance of staying one step ahead of the bad guys is if everyone is involved."
Overall, there needs to be a cultural shift in organizations so that cybersecurity is part of the business processes from the beginning, he asserts.
In fact, including security in a basic business plan will be critical for small and mid-size companies in the year ahead, warns Howard Schmidt, CISO at online auctioneer eBay and former White House cyberspace security advisor. Cyberattacks will target smaller enterprises that lack IT expertise, but have more internet connectivity than in the past, he explains.
"Too many smaller companies, when they put a business plan together, it's about how they're going to get to where they make money," he says. "But they also have to factor in that security is part of doing business."
Large enterprises, meanwhile, will need to concentrate on user education to deal with malware and zero-day attacks, he says.
Indeed, educating users about phishing and other online fraud will be a continued focus at Duke Energy, says Joseph Adams, enterprise IT security manager at the Charlotte, NC-based company. While phishing targets an individual's personal data, it could also install spyware that eavesdrops on corporate assets, he notes.
Tackling other major threats
Besides phishing and spyware, a more sophisticated insider threat will be a top concern for enterprises next year, warns Adams. "Sometimes, it's more straightforward to focus on external threats to the company. It can be much more difficult to tell whether you have an internal threat," he says.
Eran Feigenbaum, U.S. CISO with PricewaterhouseCoopers, agrees. Managing employees' identities and their access to data while ensuring former employees do not get access will be a challenge for companies moving forward, he forecasts. He also foresees more specifically targeted attacks against companies and increasingly complex viruses.
"It seems that the anti-virus vendors and hackers are always leapfrogging each other," he observes.
Many security executives believe that defending corporate assets against viruses and other threats will continue to make vulnerability management, and tying that management to business needs, a priority.
"It's risk analysis," says Autodesk's Mori. "There are all sorts of threats out there... indeed, so many that you can't address them all. But we need to understand exactly which vulnerabilities represent the most significant threats to the daily processes that support the business."
Companies will need to focus on the business reasons for security – and technology is improving to allow them to do this, says Chris Hoff, CISO at California-based Western Corporate Federal Credit Union (WesCorp), which provides payment and other services to more than 1,000 credit unions.
"There will be a renewed interest in getting back to basics – about extending the tools we have from mostly focusing on solving technology problems as they relate to security, towards solving more business problems," he says.
Communicating risk as it relates to core business assets illustrates the value of security to corporate managers and also regulatory compliance, adds Hoff. And with regulatory compliance at the top of corporate priorities next year, that's essential.
"For 2005, regulatory compliance issues like Sarbanes-Oxley and SB1386 are refocusing our efforts back to the basics – verifying reasonable and effective controls in business processes and systems," says Applied's Klaben.
Now, more than ever, it's critical that those controls reflect a tight alignment between infosec, corporate governance, and internal audit functions, he adds.
At Rockford Health System, next year will be all about complying with the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), says Joe Granneman, manager of networking/data security at the Rockford, Illinois-based healthcare provider.
That will mean setting up a lot of end-user training to educate them about not sending unencrypted healthcare data, sorting out more storage, and no doubt getting wrist cramp from writing all the policies and procedures, he says.
"The hardest part is the [firewall] log storage... In the past, if you kept it a year or two, you were pretty good, but HIPAA says you need to review it, yet there's no time frame," he says, adding that many in the industry recommend keeping six years' worth of logs.
Along with compliance requirements, Granneman is worried about vulnerabilities in wireless technology and the risks involved with workers accessing applications through the internet. "A lot of people talk about how the DMZ is gone and that's really true," he remarks.
According to Hoff, however, the network perimeter has not disappeared. Rather, there are multiple perimeters at the host level, which will drive a surge in host-based intrusion prevention.
Strengthening the communal approach
Moving forward, Pelgrin's focus is on expanding the collaborative approach. He hopes an MS-ISAC outreach committee can broaden the group's efforts to the local government level and, eventually, the citizenry.
He also aims to make the public-private cybersecurity working group he heads in New York a national effort. Members of that group, including representatives from local, state and federal government and a variety of critical industry sectors, share information about vulnerabilities and incidents.
"I don't paint a gloom and doom situation," he says. "I see a wonderful coalescing of public and private sectors. Both sides have one thing in common – we have a passion of wanting to make sure we are doing something that makes us better prepared and far more resilient."