You could say that Gene Fredriksen learned his first lesson about security from a squirrel. That's right. A squirrel. As a boy growing up in the Midwest and an enterprising Boy Scout, Fredriksen built the requisite bird feeder as a Scout project and proudly hung it from a pole in his yard. Daily checks to the feeder revealed that all the food indeed had been consumed, just not, to his chagrin, by birds, but rather by a pesky squirrel.
The innovative Scout tried everything – including greasing the pole that supported the feeder – to keep the squirrel at bay. But nothing worked. Certain that Bullwinkle's buddy was mocking him from a nearby tree, Fredriksen ramped up his efforts to thwart the furry interloper…until the day a neighbor ambled over.
“A retired farmer said, ‘I see what you're doing and you're never going to win,'” Fredriksen says. “‘You come out here and spend an hour a day trying to stop him. The squirrel is working 24 hours a day trying to steal your food.'”
As the neighbor predicted, he didn't get the squirrel, but the homespun lesson stuck with him. “You can't just do security a little bit, an hour a day, because someone out there is working 24 hours a day trying to steal your data,” he says.
That's an important mantra that Fredriksen has adopted, taught to the countless up-and-coming security pros he has trained and mentored, and applied in every security job he's had – from the Burton Group to Tyco International to PSCU, a financial services firm based in Saint Petersburg, Fla., where he is CISO.
"The technology has changed, but the basic motivation, the social engineering part, hasn't."
– Gene Fredriksen, CISO at PSCU
There's another constant, too, that Fredriksen has discovered in his long and varied info security career. “The technology has changed, but the basic motivation, the social engineering part, hasn't,” he says, pointing out that the efforts of security pros still are aimed at access control, but their focus has shifted from the mainframe to servers and other devices on complex networks. “Con man skills are still critical to getting what you want,” he says. “Technology just helps penetration, and once [an attacker] gains entry, helps speed compromise.”
As demonstrated by high-profile breaches at Target and eBay, vulnerabilities like Heartbleed, crippling distributed denial-of-service attacks or more recent news that Russian hackers stole more than a billion credentials, organizations are assailed with compromises at nearly the speed of light, putting pressure on security professionals to move equally as fast.
During the early stages of Fredriksen's career, security was a slow-moving target. “It was like getting out of the way of a hurricane, you had five days to get packed up before the storm hit,” he says. “We don't have that any more. We have to be more nimble.”
Today security professionals – and the organizations they protect – must really understanding the new modes of attack, which, Fredriksen points out, are more sophisticated, more professional and better funded. “In my youth, you put up a firewall in the outside, made some rules, used anti-virus protection and focused on keeping some bad guys out,” he says.
That approach alone does not fly today, although, unfortunately, some organizations are still stuck in that mode. As new attacks come along, ever faster and more furious, security experts must protect their organizations' data. “They protect the perimeter and the focus is still on keeping people out,” says Fredriksen. But, he says, that's more like putting big locks on your house, and no locks inside to keep would-be robbers from moving from room to room.
Simply throwing more resources at the problem doesn't work, nor is it feasible in the face of tight IT security budgets. “Threats have risen 30 percent over last year,” he explains. “Companies can't hire 30 percent more people and if they could, they'd be too slow. The days of watching monitors turn red are gone.”
Instead, Fredriksen favors a kill chain, or systematic process to target and engage an adversary to create desired effects. It's no wonder that he is comfortable with what was originally a military description of finding and eliminating a threat as he is a veteran of the U.S. Air Force. Applied to cyber criminals, the kill chain—from reconnaissance and weaponization to delivery, installation, command and control and finally action on a target—is “an integrated, end-to-end process in which any one deficiency will interrupt the entire process.” Instead of training all cyber protection efforts on a single point like the perimeter, security teams should design network and information defenses to interrupt the kill chain at multiple layers—perimeter, internal, vulnerability, user and business—in the system, Fredriksen contends. And that creates a more robust security infrastructure than do traditional methods.
To interrupt the kill chain, Fredriksen advocates an intelligence-driven defense process which he describes as a “pragmatic approach based on a core set of best practices customized to a company.” Intelligence-driven security and analytics help an infosec teams do a host of things, such as pinpoint rogue users, investigate access to sensitive data and, maybe most importantly, identify emerging or shifting threats and deploy the appropriate defenses to thwart them. The strategy relies on a combination of automated and manual controls, processes and functions. Security pros can then adjust defenses as needed by information that is actionable, accurate and timely, rather than static.
“You tune defenses and move them,” Fredriksen explains. Once a new threat gets into an organization and exhibits certain behavior, then mitigating controls can be adjusted. That's important, considering that threats crop up in what can seem like an endless game of Whack-a-Mole and existing ones constantly morph and evolve.
“Long gone are the days when information security focused on building high walls,” says Rini Fredette, vice president and enterprise risk officer at PSCU and a colleague of Fredriksen.
“The nature of global commerce today requires systems to communicate outside of the protected network,” she says. “Gene's risk-based approach creates an environment that leverages security best practices while enabling the business to function nimbly and effectively.”
That's especially true as business has become more dependent on the internet. Security experts must tread carefully through the internet and social media, which have become integral to most companies' business, while addressing threats and full-on attacks. “In the 1980s, a website was just nice to have and if we thought we were having an attack, we could shut the internet connection down, invoke the nuclear option,” says Fredriksen. “We don't have a nuclear option any longer. Instead, we have to have a surgical strike…with least impact to business.”
From the inside out
While Fredriksen calls the threats that organizations face varied, the motivations for cyber crime are few and remain constant. “First is money, he says. “The second I've found is revenge.” And the conduit is often someone on the inside.
Employees walk outside the door and sell records, says Fredriksen. “They're augmenting their income.” At restaurants, waitstaff copy customer card information. And industrial espionage – often orchestrated or, at least perpetuated, by an employee – is most certainly on the rise.
Fredriksen has worked closely in the past with human resources, and has had the FBI in to talk to executives and staff about what constitutes insider theft and how to curb it. But, fighting insider threats is complicated because not all of these risks are malicious in intent.
“I've seen people who believe they own the information,” says Fredriksen. “When they leave the company, they try to take it out with them.”
And then there are the Edward Snowdens of the world, the whistleblowers, taking a principled stance and leaking information they believe the public has a right to know.
But, much of the time, it is the “uneducated” employee, oblivious of the consequences their behavior, executing suspect downloads, clicking on unidentified links, forgetting to change passwords, exposing too much about themselves on Facebook – and thus making their companies more vulnerable to attack – that poses the greatest threat.
“In talking with the FBI, criminals are doing intelligence-gathering through social media sites,” says Fredriksen. If an attacker wants to profile execs in a company, that place is ripe to gather intelligence and leverage those people for social engineering campaigns.
As a result, attackers have grown more creative and targeted in their attacks, customizing assaults to appeal to individual targets. If you like puppies, for example, and you tweet about them constantly, expect to receive a phishing email asking you to help save dogs at a shelter. “There are a lot of tools, and people are getting more creative,” says Fredriksen. These actors, he adds, have started thinking in ways traditional infosec orgs are unprepared for.
Enter the Millennials. This demographic represents both the biggest vulnerability and the biggest hope that info security faces today. “They're an incredible group. I love where they're pushing tech,” says Fredriksen.
Their social media and tech acumen make them valuable employees both in infosec and in the broader business sense. These younger workers are adept at leveraging Pinterest and Twitter and other social media for good, he says. The flip side, however, is that they also can turn social media into tools for harvesting information to commit cyber crime.
For all their modern ways, Millennials are a lot like people in the Midwest in the 1950s who didn't lock their doors at night. Only in 2014, the threats really are out there, in droves, just waiting for an open door to walk through. In fact, according to Fredriksen, “79 percent of victims are targets of opportunity.”
Millennials may have been born with smartphones in their hands and seamlessly navigate social media, but “a large part of the group assumes someone is on the backend and they think it's safe,” says Fredriksen.
He cites a Raytheon study that found that more than 60 percent of Millennials don't think twice about connecting through Wi-Fi without a password and 20 percent have never changed their password. “They think it's not going to happen to them,” he says.
And that creates a challenge for CISOs. “As you bring them into a company, you have to do basic security awareness training,” says Fredriksen. “We tell them, ‘Know who you're talking to, use your brain. Does it make sense? If it was your own info, would you give it out?'”
These young users have already altered the corporate landscape. But, to optimize this “huge market,” companies must adjust their business plans. “They don't do business the way we do business,” says Fredriksen. “They rely on technology. Business has to learn how to thrive in this new model.” That, he points out, includes social media and internet outreach. “But, they can't lose their mission to protect information.” Instead CISOs and their teams have to “move security controls to adjust to a new way of doing business.”
As a member of the inaugural generation of CISOs, Fredriksen believes strongly that he and his peers have a responsibility to their successors. “We need to make sure the next generation of CISOs are equipped and prepared for what comes next in security. They need to understand the history of how the attack cycle developed,” he says.
That mission is likely made easier as companies open up and share information about the cyber attacks that they've suffered. “In the past, no one really wanted to admit a breach,” says Fredriksen. “It wasn't good for business.”
But, as financial institutions proved in the wake of massive DDoS attacks in 2012 and 2013, going public with the attacks and sharing information with each other helped stem the attacks and retain customer trust.
Law enforcement and government agencies, like the Federal Trade Commission, have stepped in not only to make sure that criminals are caught but that companies uphold their obligation to customers by notifying them of breaches and imposing tighter security measures to safeguard sensitive data. “On one side, the awareness is there,” he says. “Stories of breaches are coming out and becoming public. Before, a lot of stuff went on and never made papers like it should have.”
He applauds law enforcement for showing consistency and driving home the message that “they're going to come after you and prosecute.” Stopping attackers in their tracks will come through consistent enforcement, greater awareness and publication, says Fredriksen.
As organizations start to view security as a business function, the next generation of CISOs must also be better prepared to take a seat among the “suits” – and not purely for political purposes. And that's because security leverages technology to support the mission for a company which is to protect and safeguard, says Fredriksen, who has seen the once-disparate elements grow closer.
“There is an understanding of risk, and they're willing to invest in security, that's understood,” he says. “Which is an incredible change from 15 to 20 years ago.”
CISOs, he contends, are now where the CIO was 10 years ago. “Companies didn't think they should report to anyone other than finance, certainly not the CEO.”
But the harmonization of business and security add another set of skills to the CISO's must-have list. “They will have to learn to speak the language of business,” Fredriksen says. “They will work with legal and compliance and build partnerships outside of technology.”
Security deserves that seat at the table because it adds value, he explains. And that's something this seasoned CISO has done throughout his career. Add value. At PCSU's perimeter firewall, 55 connection attempts per second are rejected, denied based on firewall rules. In a single hour that Fredriksen pointed to, the company allowed 25,000 outbound internet connections and blocked 46,000 for security/policy issues. The company receives 2.2 million emails per month and rejects 76 percent as spam or as infected.
Fredriksen may not have thwarted the squirrel that relentlessly invaded his birdfeeder, but he most certainly has been instrumental in thwarting cyber attacks during his career as a security professional.