Wrapping up in Zurich

The third and final day of the Workshop on Cyber Security & Global Affairs and Security Confabulation IV at ETH in Zurich saw presentations addressing the ongoing challenges posed by cyber criminals. Here are a few highlights:

The Global Risk and the Challenges for Business

As societies become increasingly dependent upon the benefits and support structures provided by global technology systems, they are also becoming more and more vulnerable to attacks against those systems. Attacks are becoming more and more sophisticated and are increasingly difficult to detect or defend against. Akin to the “sleeper cells” found in a good spy novel, some attacks are subtle and designed to look for weaknesses and position themselves to exploit those weaknesses years from now.  

While businesses and governments are fully aware of these exploits, they are often hamstrung in their ability to defend against them, and often make matters worse by forcing poorly designed regulations upon those same organizations, draining resources away from where they could be better invested. In the U.S. for example, there are currently somewhere in the neighborhood of 36 pieces of legislation wending their way through the U.S. Congress, all dealing with various aspects of information security. In other cases existing regulatory environments hinder effective responses to cybercrimes. The most shocking example is that the major internet service providers (ISPs) can clearly see where botnets exist and where their attacks are targeted, but cannot take action to stop them due to existing provisions of archaic anti-trust regulations.

Getting on top of these issues requires that organizations:

• Have strong governance and organizational structures,

• regularly assess their risk postures using proven risk assessment frameworks,

• build strategic plans that are integrated into the corporate model,

• clearly understand that security can and should be seen as a business enabler and should never appear to stand alone,

• understand that policies are critical, but worthless, without proper enforcement tools, and, 

•  continuously audit, assess and monitor…constant vigilance.

Payment System Security

Payment systems are increasing targets for exploit. Attackers design their exploits to target specific weaknesses and take advantage of the information they gain. Often, attacks are aimed at gathering intelligence that can be used for a competitive business advantage. For example, attackers will target communications between key executives or even the CSO, learning about business deals in the works, or how organizations are defending themselves so that the attacker can more easily exploit weaknesses.

Defense in depth takes on a whole new relevancy when you consider that many current security technologies are easily circumvented

• Encryption: attackers are building customized hardware to help them crack encryption keys

• DLP: sophisticated malware will know encrypt its payload of stolen information before sending it out to the attacker, allowing it to get by DLP engines

•  Authentication systems can by defeated by traditional social engineering

• Anti-virus protections are ineffective against polymorphic threats

• And so on

Perhaps the most telling response to these threats is when businesses, like Google, make changes in the 10Q financial filings addressing the fact that they these attacks are persistent and that they may not be able to defend against them. Including these recognitions in safe harbor statements recognizes the severity of the risk.

A Global Strategic Approach to CyberCrime

The most effective way to fight cybercrime is through international cooperation between public and private entities and law enforcement. But that, in and of itself, will not solve the problem. We need to look at what is working well, and before governments begin to layer-on new regulations, what laws currently exist on the books that can be applied to cybercrimes, and which ones needs to be modified. Additionally, look for examples in traditional crime that are working well and try to apply the most effective parts of them to address the new and emerging threats. For example, if you look at how commercial child pornography cases are handled you’ll find that that can be an effective model for combating cybercrime.

Wrap-up

As we sweltered through the heat (and accompanying lack of air conditioning) in Zurich, the goal of this workshop was to bring together some of the world’s leading thought leaders in security and, by listening to their ideas, advance the practice of security by understanding, developing and utilizing new methods to address the cyber risks that governments, businesses and individuals are dealing with in the face of sophisticated, persistent attackers. Through forty presentations we heard about the state of security, the challenges we face, and new ideas on how to respond to those threats. Clearly the most forward-thinking approach by security professionals I have seen to date. In the months to come we’ll see just how successful we were.