If anything, IT security workers may feel that whatever new risk management program they roll out or security product they deploy, the bar constantly moves higher. Many fear privately that the hackers are winning, and that nation-states, organized crime and amateur hackers out to prove they can access Defense Department systems or Wall Street bank accounts are impossible to stop. Anyone and everyone can be hacked – and it often happens without the IT staff even knowing about it. Even the harsh 20-year federal prison sentences handed out to TJ Maxx hacker Albert Gonzalez and credit card scammer David Ray Camez haven't really proved an effective deterrent.
However bleak it may appear, the tide started to turn with the Target hack in late 2013. In fact, the Ponemon Institute reports that following the Target breach, survey respondents said the percentage of senior management who considered data breaches an “extremely high” concern rose to 55 percent – up from just 13 percent.
It also didn't hurt that heads started to roll from the corner offices. Without question, CEOs woke up when they read in the news last year that 35-year company veteran Gregg Steinhafel was forced to resign at Target, and CIO Beth Jacob also lost her position.
Dave Frymier, CISO, Unisys
John Kindervag, analyst, Forrester
Kevin Mandia, SVP and COO, FireEye
Donald “Andy” Purdy, chief security officer, Huawei USA
Lena Smart, VP and CIO, New York Power Authority
Nathan Smolenski, CISO, Zurich North America
And if Target was a wake-up call, the Sony hack late last year pushed cybersecurity into the mainstream as President Obama weighed in on the issue and even Entertainment Tonight reporters gushed cybersecurity news when Amy Pascal, former co-chairman of Sony Pictures Entertainment, was forced to resign over revelations about embarrassing emails that were stolen by the hackers.
Only the serious need apply
Much of this publicity and the focus by the press on the next “9-11 event” that will affect the security industry troubles Lena Smart, vice president and CIO of the New York Power Authority (NYPA). “I really don't respond well when people compare these hacking attacks to 9-11,” she says. While it's regrettable that personal information and credit card data was stolen in these recent incursions, there was no loss of life, she says. “As for security becoming the hot career, while the industry needs people, what we really need are people who are ready to roll up their sleeves and do the hard work. I'm still finding it hard to find qualified people.”
Smart, who worked for more than 11 years as NYPA's CISO before assuming the CIO position, knows what she's talking about. Along with her role at NYPA, Smart serves as the power industry sector chief for the New York State chapter of InfraGard, a partnership between the FBI and the private sector, where she receives briefings on cybersecurity events from the FBI and shares lessons learned with other IT managers and FBI officials.
She says following the Sony hack, she met with top management at NYPA and explained to them that the FBI believed the hack was tied to North Korea and how her security program at NYPA puts the organization in a strong position to withstand an attack.
“I told them we use a combination of data encryption, complex passwords and identity and access management tools that weren't necessarily applied to the same extent at Sony,” Smart says.
NYPA also has an aggressive security education program. Anyone who enters the organization, whether it's their first day on the job or are there as a visitor or contractor, is trained in IT security. Further, Smart will run unannounced phishing attacks throughout the year to raise awareness so staff understands better what to look for. She also does “brown bag” lunches with the rank-and-file staff where she offers tips on how to spot a suspicious email that may be a phishing attack or contain malware.
“We do videos of these sessions and people who may have missed the presentation are encouraged to watch and learn what's going on,” she says.
A focus on crypto
The techniques that Smart uses at NYPA are accepted best practices that most experts recommend. John Kindervag, a Forrester analyst who focuses on IT security, says companies need to take three steps to protect their organizations: discover and classify their data; gain visibility into the company's internal network; and deploy data encryption and tokenization.
“I really wish that more people understood that there are real consequences to not doing anything,” Kindervag says. “But people don't put alarm systems in their homes until they get burglarized.”
Dave Frymier (right), CISO at Unisys, an information technology company based in Blue Bell, Penn., says while it's important to encrypt data and deploy two-factor authentication, companies also need to support their IT departments. “What Target did was like planting a vegetable garden with a shovel, rake and hoe, but not have anyone to tend the garden,” he says. “They bought some tools, but they made no investment in human resources to learn how to manage IT security.”
The year that was:
eBay: 145 million people affected
JPMorgan Chase: 76 million households and 7 million small businesses
Home Depot: 56 million unique payment cards
CHS Community Health Systems: 4.5 million people
Michaels Stores: 2.6 million people
Nieman Marcus: 1.1 million people Staples: point-of-sales systems at 115 of its more than 1,400 retail stores
SOURCE: Ponemon Institute, “2014: A Year of Mega Breaches,” January 2015
Better and more universally applied crypto can help, but Frymier points to three main factors that have led to the rise of data breaches. First, he says when the internet was first developed it ran on unauthenticated and unencrypted packets. A packet is authenticated when its origin is known and verified. Packets can be authenticated by sending a digital signature (generated with a digital certificate unique to the sender) along with it. Frymier says requiring packet authentication would solve the spoofing problem the industry has today where it's very difficult to tell where an attack comes from.
“In the early days of electricity, houses were routinely outfitted with bare wire,” he says. “As you can imagine, many burned down. Fifty years from now, the notion that we are sending around unauthenticated and unencrypted packets will seem as absurd as wiring houses with bare metal.”
Second, he says standardization has been a double-edged sword. For example, Microsoft Office is universal at most corporations, but it also created hundreds of millions of endpoints for hackers to attack.
Finally, Frymier says there's a general rush by software makers to bring products to market too quickly. “Companies push product out the door as fast as they can with the lowest cost,” he says. “The result is that a lot of software is full of vulnerabilities.”
In the long run, he says, all of these issues will have to be addressed in order for the industry to make progress on breaches.
For many, all of this can be confusing and hard to sort out. Cynics may point out that JP Morgan Chase spent tens of millions in IT security and employed 300 people focused on security and it still was hacked. On the other hand, while it was hacked, it had the personnel to remediate the issue and sense to admit that there was a problem, and then move on.
Kevin Mandia, senior vice president and COO at FireEye, a Milpitas, Calif.-based network security company that has often been the “go-to” vendor for remediation following high-profile hacks, says what really needs to change is the idea that the victims have done something wrong.
“Organizations are compromised all the time, often without them knowing it,” he says. “When you're talking about a nation-state hacking into an educational institution or a media or financial company, it's really an unfair fight.”
Above all, Mandia says companies need to prioritize which information and data is most valuable. “Know what matters most and protect it,” he says.
CISOs and CIOs may not be able to make the hacks stop completely. But they can certainly apply the best possible tools and work with top management to identify the data and intellectual property that matters most to the organization. If the current trend continues, hacking incidents will become more like political scandals. In the end, it may not be what was lost or stolen, but more how the organization responds.
Good Governance: What it's all about
When it comes to IT security, the old story that common sense may not be that common holds true.
Not so at global infrastructure manufacturer Huawei, which a couple of years ago formed a global cyber security committee that's headed up by Ken Hu, the company's deputy chairman of the board.
Donald “Andy” Purdy, chief security officer for Huawei USA, says seats on the global committee are held by all the top people in the company, including IT, HR, the general counsel and the heads of all the line of business groups. There are also similar committees at all the various countries in which Huawei operates. In fact, Purdy heads up the cybersecurity committee for Huawei USA.
“The point here is that Huawei has established a governance process that involves all the key people in the company,” Purdy says. “Everyone is responsible for security and it includes people at the highest levels of the company.”
Purdy says the genesis of the cyber committees started in 2011, when Huawei started a program that would focus on innovation, quality and security. He says the company strives to build security into every aspect of the business. Some examples:
Constant training. The company conducts cybersecurity awareness training and education for all Huawei staff, thereby encouraging an atmosphere and culture conducive to promoting cybersecurity awareness and regulating employee behavior across the company.
Build security into the process. Huawei embeds cybersecurity requirements into its integrated product development process. Cybersecurity is built into the team's daily work as well as each product and service. The company instructs employees to design, develop and deliver products with security in mind.
Test, test, test. The company established a multilayer cybersecurity evaluation process that lets its products be independently tested and evaluated by different teams. This includes Huawei's Internal Cyber Security Lab, the UK Cyber Security Evaluation Center (CSEC), customer evaluation teams and third-party audit and evaluation teams.
Respond in a crisis. When customers and researchers identify possible security issues, the company responds through its Product Security Incident Response Team and core R&D processes. In addition, the company's barcode system and electronic manufacturing system let them forward or backward track 98 percent of the components used in their offerings within just a few minutes.
Review the logs. Because auditing plays a crucial role in ensuring what a company or department claims is true and effective, the firm ensures the implementation of cybersecurity policies, processes and standards through an internal audit team. This allows Huawei to provide more effective and comprehensive oversight on cybersecurity.