At the Frontline: Cyber security expert Jim Butterworth

Earlier this month, hackers believed to be working on behalf of the North Korean government launched cyber attacks directed at U.S. and South Korean government Web sites.

According to a report from the Associated Press, the attacks affected 11 different South Korean and U.S. Web sites, causing access problems as well as outages. Among the U.S. sites affected included the Treasury Department, Secret Service, Federal Trade Commission, and Transportation Department.

Government Web sites are not the only ones that have been vulnerable to attack. Highlighting the devastation web vulnerabilities can cause to an organization, TJX, the parent company of retailers T.J. Maxx and Marshalls, recently agreed to pay more than $9 million to multiple states following a massive theft of customers’ debit and credit card information. The retail giant has also reportedly entered into multi-million dollar settlements with banks that issue Visa and MasterCard credit cards to cover the costs that they incurred due to the breach.

In this “At the Frontline,” Jim Butterworth, a retired U.S. Navy cryptologist and senior director of cyber security for Guidance Software, discusses the steps that organizations can take to protect themselves from hackers, as well as how to respond in the aftermath of a security breach.

How do you protect your organization against an organized cyber attack like the one recently experienced by the U.S. and South Korea?

People just assume things are working and that their firewalls are doing their job. Not until you have something happen like this does it bring (cyber vulnerabilities) to the forefront. There are two things you have to consider, outside threats and insider threats. The insider threat could be an outside entity that has successfully penetrated your (cyber safeguards) and now has malicious software lying dormant in your network. These (viruses or worms) are remotely controlled and from a corporate standpoint, you have a responsibility to your peers to make sure that your network is protected in such a way that you don’t become an unwitting participant in an attack against them or your customers. You also have an obligation to your shareholders that information on your network is safe and you don’t have malicious code sitting there waiting to be activated. The best way to keep a robber from getting into your house is to make sure you have locks on the door, but what about when you invite the pizza man in? You just don’t think about the inside.

Now that we know that the recent cyber attacks against the U.S. and South Korea were intended to be much broader and also targeted the White House and the Pentagon, do you believe that U.S. cyber security officials and the safeguards that they have in place were successful in thwarting a more serious attack?

There’s two ways to look at it. One way is to judge success on the ability to penetrate the network. In that regard, (the hackers) would have been successful. If your objective is to fight through an attack, I would say the (hackers) failed. The (Web sites) weren’t mission critical from the standpoint of national security or critical infrastructure. It’s a zero sum game when you’re attacking low hanging fruit.

Who are some of the most prevalent countries behind these sorts of cyber attacks?

Obviously, you have the Chinese. They are very active and get a lot of press. It happens from every country, however. One of the things about the Internet, it has been called the great equalizer and (in a sense) you can fight the largest military in the world from a home computer. To coordinate a massive cyber attack, it takes a quite bit of preparation.

Looking at cyber security from a corporate perspective, what are some the steps that you need to take to ensure that your organization is safe?

You have to know what’s on your network. It’s very hard to defend against something you don’t know exists. I think a lot of security people get and understand that they have a responsibility and are accountable for protecting information, whether it is public or corporate. The challenge is locating that data, after which you have to take it one step further and determine which people have access to it. It comes down to auditing what people do with their access to critical data and making sure secrets are where they are suppose to be and not on people’s thumb drives. This also includes setting up policies that prohibit employees from creating databases with sensitive information on their computer and taking a proactive approach.

What are some of the dangers of failing to take a proactive approach to cyber security?

Obviously, if you’re in a regulated industry you are required to. Failure to properly handle breaches of a security network could cost you your job or the company could suffer sanctions. It could also end up hurting you on the trading floor. The other, bigger thereat is your corporate secrets end up in the hands of your competition and you lose your competitive advantage. Corporate espionage is happening quite a bit.

What can be done to ward off potential sleeper attacks from malicious software that may already be in an organization’s network?

We need to look at our boxes digitally. The bottom line is when you establish as a company that these are the applications we use; you need to create a digital profile or digital baseline. At any point in future, you can run a comparison against what’s different from baseline. The key to catching sleeper code is being able to recognize it.

What should an organization do after a breach has been detected in the system?

In a regulated industry, you should get your general counsel; advise them that you’ve had this incident and start going through the process two fold. You have a duty to inform while simultaneously you also have your security team going down a road (to determine where the breach originated).What you really have to keep in mind is evidence sterility. You need to make sure that the steps your security staff are taking fall under industry best practices and that your experts can stand up to scrutiny and cross examination. More companies are developing computer forensics teams to handle these types of situations.