Fischer International's Andrew Sroka says that organizations cannot become complacent when it comes to IT security and need to have proper access control policies in place to determine who has access to sensitive data
Photo credit: Photo courtesy stock.xchng/ArminH
Andrew Sroka is president and CEO of data security firm Fischer International
Last month, one of the largest cyber attacks in recent history, whose victims included thousands of companies and 10 U.S. government agencies, was uncovered.
The attack, which was later dubbed as the "Kneber Botnet," allowed hackers to access login credentials to online financial systems, as well as to social networking sites and e-mail systems.
One company that is trying to keep organizations and government institutions on top of cyber threats is Florida-based IT data security firm Fischer International. In this "At the Frontline," SIW speaks with Fischer's president and CEO, Andrew Sroka, about the growing number of cyber attacks and what companies can do to protect themselves.
With the recent news that thousands of companies, as well as several U.S. government agencies have fallen victim to the Kneber Botnet, what are some steps companies can take to protect their data from hackers?
Kneber is kind of an interesting event for a variety of reasons. First of all, it is not exactly ground breaking hacker-type technology. If we really look at the metrics of what Kneber is, it is relatively old Zeus spyware or botware that's a newer variant which has been employed to develop this large network. Seventy-four thousand assets over 196 countries is pretty large by anyone's standards. It's not exactly earth-shaking technology and what is really being exploited by Kneber and Kneber-like Zeus infections is poor security policies that are in place at these organizations. Fischer's perspective is that organizations have a tendency to become complacent with their security profile in that we think we have anti-virus in place, so we're ok there; we think we have intrusion detection systems and that we're ok there; and we have employed the right software tools in our organization to defend against these external threats. I think organizations have to overcome that (event-driven reaction to security mindset) when it comes to implementing security. Security is a process, so establishing control over assets and establishing policies within an organization as they relate to security (and) to prevent these credential breaches are key. (The hacking industry) is the only industry that consistently demonstrates innovation.
Where do many of these cyber attacks originate and what is being done in those areas to curtail cyber criminals?
I think that the better question would be where are they not coming from? With Kneber in particular, there were several countries involved as sources, predominately China, but it wasn't relegated specifically to just Chinese assets. Pretty much any country or geographic region that has access to the Internet could be potentially a source, as well as that source that most organizations don't want to talk about, which is the internal threat that's often a big part of the problem. There are organizations and law enforcement partnerships across various countries that are trying to establish ways to manage and eliminate some of the threat of hackers, but it is a very elusive and evolving process and it's not something that any one government, or federal agency or regulatory agency can say they have a handle on managing.
How can organizations protect themselves against insider threats from employees who may want to steal sensitive data as an act of revenge?
That's probably the hardest part of the security profile for organizations to mitigate. Again, it goes back to the overarching theme that companies don't want to think that that threat is as real as it is. And not just malicious activities, but inadvertent activities can expose organizations and their data. The forefront of that process is access control, a very well-defined access control policy and systems to enforce access control... and constant audit and verification of that access control, such as password policies and enforcing password policies. A lot of it, when it comes to the insider threat, is education and establishing acceptable-use policies and enforcing acceptable-use policies and using tools that are available on the market that can enforce and manage access to that organization's data.
One of the big issues in IT security these days is protecting the privacy of both clients and personnel, what are some things that can be done to ensure that this information stays safe?
The ordinary safeguards we talk about consist of encryption, data repositories, physical access security, physical security of backup tapes and backup media. The chain of custody is a lot of times where you will see the source of a breach. People lose tapes, tapes get stolen, backup media or remote device are lost. The proliferation of remote devices that are now external to the organization's control, like laptops, smart phones or whatever they happen to be employing makes it difficult to control. Again, you have to go back to this access authority, establishing who has access to the data, controlling access to the data and constantly managing that access security process. It's important to not treat regular access and high-privileged access as the same animal. A lot of times you will see a single security policy applied in an organization to both general user population as well as your high-privilege administrators. The high-privilege administrators need to be treated separately, you have to have an additional layer of control over the access that's granted, when it's granted and how that's tracked within the organization. So outside of the standard we locked the door on our data center and we locked the case on the tapes, it all comes back to that access control.
What kind of regulatory concerns do people need to be aware of when it comes to securing sensitive data?
There's a laundry list of potential penalties that could be employed, but I think the biggest thing for organizations to make themselves aware of is what applies to them and to their market. A lot of organizations might not even be aware of some of the regulatory oversight that their company should be subject to. But when we talk about penalties, what's a greater penalty than going out of business? A high-profile, high-value breach that is widely publicized is a credibility damaging event. In some cases when we look at Societe Generale or TJ Maxx, there is a significant and immediate business impact from these breaches. From our perspective, that is the one thing you really want to be aware of. It's far more of a penalty than whatever regulatory fines your organization must pay. It's far more (impactful) than the onus of any state disclosure or breach notification rules or obligations your organization might have. The value of those penalties is far out-shadowed by the damage to an organization.
Many attacks go unnoticed for long periods of time as with the Kneber Botnet. Is there anything that companies can do to perhaps catch these intrusions quicker?
Complacency has to be removed from the equation. Organizations can't ever assume they have all their bases covered because hackers are very adaptive and very skilled. A lot times these organizations or groups of people have as good or better resources and systems and technology to work with as the majority of organizations that they're targeting. It is very important for companies to realize that you don't have to be certain size or a certain name brand or a certain revenue level to be the target of a hacker. A hacker is looking for any asset they can get a hold of, whether it's the couple of computers in your home office or in a government agency. Everyone is a potential victim. Companies have to understand that everyone is a potential victim and understand that the days of saying "it can't happen to us" have long past. Security is an ongoing process. You have to commit to the ongoing process and not treat things as individual events or things to react to. My opinion is that getting past the complacency and getting past the reactionary mindset is the most important thing.
What are some of the steps that companies need to take when they discover that they've fell victim to a hacker?
The initial reaction that any organization is going to have is going to try to drill down on whatever the precursor of that actual breach was. Whether that was somebody in accounting (who) left their password logged in and stepped away from the computer or there was an incorrect configuration of a firewall. The problem there is that we'll tend to get tunnel vision and try to focus on the issue that predicated that specific breach. Companies need to engage in a broader root cause analysis, how that particular breach event or that particular access point relates to the greater security profile. What are they not considering in the security profile? I hesitate to say it, but sometimes breaches can be a very valuable tool to reevaluate an overall security structure. Certainly, we don't advocate people breaking into an organization's systems to teach them a lesson, but a lot of people are under the impression that they're already covered and it's not often the case. By resolving the initial cause of that specific breach is one part of the process, but it has to be taken that next step further to evaluate the entire security profile for that organization to see what else may be at risk.
With so many companies moving to third-party management of their data, such as with cloud computing, what are some of the security issues that can arise with these types of data storage options?
Secure-hosted facilities or a professional hosting agency that is providing SaaS (Software as a Service) or remote data storage or remote administration, in many ways may be more secure and far more security conscious than an organization's internal data center could be. In larger organizations, you're going to see the same type of security procedures and protocols, but one of our positions as a provider of software is how many data centers in the general business have armed guards or access control systems on the magnitude of professional hosting services? I think there are a lot of misperceptions about the security of hosted or remote administered services that are pretty much unfounded. Generally, the same security issues that you would have internal to your organization would apply to a hosted situation and sometimes even less.
Do you think that we will see a push at some point in the corporate world away from PCs to Mac-based operating systems due to their lack of vulnerability to viruses and spyware?
I think you are seeing a move of people exploring different options. People are trying to mitigate risk in their organizations whatever way possible. The issue is going to become what application sets are available on what platforms. You look at the introduction of Linux into business systems and Mac OS into business systems, there's a lot of different options and the selection of those options is going to depend upon whether the business has access to the applications they need to run their operations. I think as more people start exploring different option we're going to see one of two things, either the adoption of a less vulnerable system such as a Mac or some other system or an increased effort on the part of traditional PC vendors to make a lot better effort at securing the systems that are already out there.
What do you think the future holds for IT security? Do you see attacks becoming even more frequent and how will people respond?
I do believe attacks will become more frequent. I also believe that as the reach of the Internet becomes more of a commodity in more places and more people have access to the potential of what the Internet means, certainly the best exploiters of any technology are the people that use it for ill gain. It is going to become more increased; you are going to see larger scale attacks like Kneber simply because there is money involved. If you look at the potential in Kneber's case to have a 75,000 asset botnet for hire that is a pretty dramatic representation of what that part of the technology is evolving into. This (problem includes) governments, hostile governments and corporate raiders; it comes from any real sector but its big business. I think it is going to force organizations to spend a lot more time and energy that they don't have to spare managing their security profile, which makes it even more important for them to have available to them automated tool sets, policy enforcement applications and access control management systems that can help take some of that manual overhead out of the picture.