Tuesday, February 24, 2009

Your online payments are being sniffed; accept it, live with it

PCI compliance is clearly not enough to protect credit card numbers or account information. It’s about time everyone who uses an account for online payment simply accept the facts: your credit card numbers have been stolen. Check your statements monthly. Why? This isn’t about Heartland or the breach-of-the-week; this is about a constant effort well funded by a criminal underground. The primary tool in the cyber criminal hand, the malware program, keeps getting better. Malware authors are intelligent and focused developers who are well paid for their work. They have developed toolkits so they can generate new malware with little development overhead. They can generate new attack bits in a matter of hours that, to a virus scanner, may as well be a zero day – no signature means no detection, and no protection. Most of this malware decrypts live to memory and never touches the disk. The computing infrastructure is easy prey. It has never been secure, and won’t be secure anytime in the next ten years. Computer security is a constant effort that will never fully work. It’s partial risk reduction, not resolution. The billions of dollars spent since the turn of this century on IDS, firewalls, and virus scanning hasn’t made a more secure Internet. The growth of online technology has far outpaced our ability to secure it. Millions of credit card numbers are being stolen THIS MORNING. They were being stolen yesterday. They are going to continue to be stolen tomorrow.

Wednesday, February 11, 2009

Melissa Hathaway, on track to make a difference?

Unlike previous cybersecurity czars, Ms. Hathaway has experience. She understands how hard national security can be. Notably, Ms. Hathaway has been working on the Dark Side (think classified) of the government, which means she knows the reality of cyber threats - how effective cyber espionage really is, what is being stolen, and who is stealing it. It also means she knows the definition of a "Funded Threat." And, to combat these funded threats, she understands that it's not just defense, but also offense (think geolocation, trace back to the human, and the money). During his campaign, President Obama stated that he would take cyber attacks as seriously as nuclear or biological. A strong statement like this ultimately translates to budget.

Obama seems to want to dip his toe in the water first. Ms. Hathaway will not have the White House power position, at least not yet - there will be some bureaucracy between her and the president. We will have to see what happens in the next 60 days. But, bureaucracy will be one of Ms. Hathaway's greatest challenges. To her credit, she comes from the right community. She has the relationships in place that can help her succeed.

One of the things I like about Ms. Hathaway is her understanding that cooperation between agencies is required for success. The government is a big place, and the computer networks within it are like little fiefdoms. Coordination is difficult -- not because people lack the will to work together (although that adds difficulty), but because searching through ALL the information is required to find out what's important or critical. Most people want security to be someone else's problem. Those responsible for security want it to be easy. But that is core of the problem. Security is NOT easy. There is no shiny button.

Real security takes work. Ms. Hathaway supports building new technology to address new types of threats that go beyond what yesteryear had. We need to realize that people are out to get us, we are being attacked, and if smart people in the Enterprise say it's an "arms race" you better believe the government knows it is. She needs to be frank with everyone that there is no magic pill. She must require people to step up and do more and not rely on outdated security technology but to supplement with newer technologies.

The 60-day security review may bring back bad news - that things are terrible out there and the Nation's security is worse than it has ever been. We are in tough times, and some tough decisions will likely be made. Ms. Hathaway appears to have the big picture -- finally someone who might actually be able to change security for the better. Hopefully Obama will give her the authority to do so.