Organizations of all sizes need to worry about data hacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Dri­ven by the fall­out of major data breach­es at Tar­get, Sony Pic­tures, Anthem and hun­dreds of oth­er large and small orga­ni­za­tions else­where, cyber­se­cu­ri­ty is now a prob­lem of strate­gic impor­tance in orga­ni­za­tions of all sizes.

Third­Cer­tain­ty sat down last week at the RSA Con­fer­ence in San Fran­cis­co with Howard Schmidt, for­mer White House Cyber­se­cu­ri­ty Advi­sor under Pres­i­dents Bush and Oba­ma, to dis­cuss the wider con­text. The fire­side chat was spon­sored by TaaSera, sup­pli­er of pre-emp­tive breach detec­tion systems.

3C: Are the dots start­ing to con­nect in the minds of senior exec­u­tives that their orga­ni­za­tions are fac­ing pro­found new exposures?

Howard Schmidt, former White House Cybersecurity Advisor
Howard Schmidt, for­mer White House Cyber­se­cu­ri­ty Advisor

Schmidt: Yes, they are start­ing to look at cyber­se­cu­ri­ty as a strate­gic issue that needs to be dealt with at the cor­po­rate lev­el. The finan­cial ser­vices sec­tor years ago said, “OK, we can lose this amount of mon­ey through cred­it card fraud, and we can work with­in that.” Now the expo­sures are much more than that. It’s rep­u­ta­tion, it’s gov­ern­ment reg­u­la­tion, it’s cus­tomer con­fi­dence, and so a lot of atten­tion is going into it.

Secu­ri­ty & Pri­va­cy News Roundup: Stay informed of key pat­terns and trends

3C: Secu­ri­ty ven­dors cer­tain­ly are pay­ing atten­tion. There’s no short­age of clever tech­nol­o­gy to defend networks.

Schmidt: Yes, clear­ly. Every year at RSA and at Infos­ec Europe, I see prod­ucts devel­oped to react to what hap­pened this past year or last week or last month, so you wind up in a sit­u­a­tion where you are chas­ing the prob­lem instead of devel­op­ing sys­tems to deal with those prob­lems before they occur. For exam­ple, we have tremen­dous capa­bil­i­ties: intru­sion detec­tion, intru­sion pre­ven­tion, mal­ware pro­tec­tion, breach detec­tion, all those sort of things. They’ve been good, but they have not been as effec­tive as we need them to be.

3C: Because they’re perime­ter focused?

Schmidt: That’s cor­rect, they’re all perime­ter-based, so when some­body gets in and it looks like they should be inside, they can start doing things a nor­mal employ­ee would not do. And they’ll go unde­tect­ed for a long peri­od of time. We’re start­ing to devel­op sys­tems to detect this type of anom­alous behav­ior. But just as impor­tant, if not more impor­tant, is we need to cre­ate an ecosys­tem that does strong authen­ti­ca­tion and strong encryp­tion, as well as secure cod­ing, that basi­cal­ly puts you into a posi­tion where you have every­thing in your favor.

3C: Devel­op­ing a secu­ri­ty ecosys­tem like that implies a high lev­el of intel shar­ing, a very big top­ic these days with Pres­i­dent Oba­ma, whom you served.

Schmidt: Many peo­ple don’t real­ize that in 1998 Pres­i­dent Clin­ton signed Pres­i­den­tial Deci­sion Direc­tive 63 that said three things. One, the gov­ern­ment is not well orga­nized to deal with cyber, which they were not. Sec­ond, pri­vate indus­try owns the vast major­i­ty of crit­i­cal infra­struc­ture, about 85 per­cent. And the third thing is, we’re not shar­ing infor­ma­tion with one another.

This was in 1998, so it’s before all the things we’re see­ing today. Pres­i­dent Clinton’s order prompt­ed the finan­cial ser­vices sec­tor to cre­ate the first ISAC (Infor­ma­tion Shar­ing and Analy­sis Cen­ter). It was about shar­ing infor­ma­tion among com­pa­nies in the finan­cial sec­tor. Zoom­ing ahead, a big, big part of the nation­al strat­e­gy to secure cyber­space that Tom Ridge and I released in Feb­ru­ary 2003 was about gov­ern­ment shar­ing intel­li­gence with the pri­vate sec­tor, not suck­ing every­thing out of the pri­vate sector.

Today we’ve start­ed look­ing at inter­na­tion­al strat­e­gy, at things like the nation­al strat­e­gy for iden­ti­ties in cyber­space. It’s all about shar­ing infor­ma­tion, and yet we still seem to have a con­ver­sa­tion about it. I was at an event recent­ly that was all about infor­ma­tion shar­ing. We’ve been talk­ing about shar­ing for all these years. And for some rea­son, we just can’t seem to get it right.

3C: With data breach­es accel­er­at­ing and show­ing no signs of slow­ing, and with the C-suite star­ing to pay atten­tion, maybe we’ve final­ly reached a tip­ping point.

Schmidt: I couldn’t agree more. There’s a larg­er impe­tus to share, and there are legal implications—the lia­bil­i­ty is huge. And it’s a glob­al issue. We keep talk­ing about what the pres­i­dent is doing and about U.S. com­pa­nies. Well, the Inter­net is not a U.S.-based issue. As mat­ter of fact, many of the U.S. com­pa­nies we talk to are quick to point out, “We’re a glob­al company.”

3C: How much room is there for greater shar­ing at a very basic best-prac­tices level?

Schmidt: With large com­pa­nies, that oppor­tu­ni­ty is huge. As you start going down the sup­ply chain to the small and medi­um-size com­pa­nies and to the star­tups, there is no mech­a­nism by which they can share infor­ma­tion and can take some action.

That’s why there’s a dis­cus­sion about turn­ing this whole mech­a­nism around. So for instance, infor­ma­tion clas­si­fied as law-enforce­ment sen­si­tive can be clas­si­fied for no more than 24 hours, unless it meets some para­me­ters that the pri­vate sec­tor can understand.

You don’t have to give out all of the sen­si­tive infor­ma­tion. But you do want action­able intel turned around in 24 hours. You’ll then have the abil­i­ty to inform a sys­tem admin­is­tra­tor who does not have secu­ri­ty clear­ances, and who does not go to the meet­ings in Wash­ing­ton D.C., to block this IP address or to be alert for this piece of mal­ware. And he’ll be able to actu­al­ly do some­thing to reduce the like­li­hood of falling vic­tim to some of these things.

3C: Sort of like shin­ing a flash­light into some of the cor­ners of the Darknet.

Schmidt: Absolute­ly cor­rect. That’s a good analogy.

More on emerg­ing best practices
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era