Emerging Cyber Threats and Management of Information Security
BILL BONI: Good morning. It's a pleasure to talk with you.
SWART: Well, thank you for taking time to talk to our listeners today. I was wondering if you could start by describing, what are some of the most significant cyber threats that are emerging today?
BONI: I think it is pretty apparent to those of us that live in the information protection domain that the transition from the era where most risks were technological and driven by hackers who were principally hobbyists, or who were into the attacks against organizations for the notoriety that their achievements created, are now being replaced with professional criminals and members of organized crimes, and even in some cases, associated on the fringes of terrorist organizations.
So, they have a completely different motivation for the efforts they are undertaking. They are really now focusing increasingly on the parasitic extraction of value from the attacked organizations. And what this means is, the kinds of defenses and the technical mechanisms and the processes we have had in the past are no longer sufficient to deal with the kinds of threats and risks we are now all facing in the 21st century.
SWART: What is facilitating those changes? We see both this change in the nature of hacking itself, or criminal computer attacks, both technologically and also just sort of in our culture? What has caused these changes?
BONI: Well, I think part of it is, the benefits of globalization is, we are seeing increasingly that portions of the planet that were beyond the realm of connectivity are now part of the global on-line internet environment. And as a consequence, you have access that was never previously accessible. And that the wide variance in both the degree of skill and the nature of the experience available to the organizations that are providing the connectivity, as well as the personal motivations of the global population, I mean, it's a well-known fact, in crime statistics, if you take any given population of a given size, a small percentage in fact are going to be willing to create havoc or commit crimes and do things that are inappropriate.
When you vastly increase the population that has access, you therefore have added to the potential for people who have those kinds of anti-social behaviors to be part of that on-line community. And therefore, make the effort to come after us.
SWART: What about the rise in the sophistication level of malware itself? What is driving that?
BONI:: Well, I think it's consistent with the emerging trends for targeted attacks and extraction of value. The original...back when I started in this field in the â€˜80s, even, the simple viruses, the monkey, the brain, those sorts of things, required spreading through means of floppy diskettes and physically passing the device drivers around. As we have gone to increasing use of standardized platforms, it makes it easier for the writers of those malware to set up common means and exploit common vulnerabilities.
And then when you have that large population that now is getting access, in many cases early in their experience, and their learning curve, they remain vulnerable to the attacks using social engineering and other mechanisms that might cause them to do something that they don't even realize is inappropriate.
So, a combination of standardized platforms, standardized applications, much of which enabled the e-business and on-line banking and other applications that we benefit from, also make it increasingly easier for the anti-social elements within the global community to attack those kinds of beneficial capabilities through what looks like otherwise official-looking e-mail messages, or websites that have been doctored or modified in some fashion to allow the downloading of Trojan software or other key â€¦ software or that type of software that they all can be used against the individual or against the financial institution, or a business of any other on-line organization.
SWART: How should banks or other financial institutions be preparing their incident response capabilities given this new threat picture?
BONI: I think what's going to happen is, I think the sort of community-based response model that has served well in the physical world is something that is absolutely essential now in the cyber and on-line world. Increasingly, institutions will be competing on the benefits that they can provide their particular customers, or the community-based service. But there needs to be a...everyone has to share across boundaries the types of experiences that have been detected, and to build that consensus and that capability.
It is very, very important that we move beyond the idea that we have to just find the source of a problem and shut it down until now we have to find the source of the problem, investigate how and why and where the problem was instituted into our environments. And then share that with law enforcement or other appropriate authority so that the community as a whole can become more resilient and more capable of dealing with these kinds of threats. Can you imagine, again, it's almost like you're dealing with serial killers in the physical world, where if they move beyond the jurisdiction, there is no way of sharing information, they can continue to commit their crimes almost indefinitely.
We have to make sure the cyber criminals are, in fact, their mechanisms are identified, their modus operandi is detected, and the teams that have that information share it with the appropriate, authorized law enforcement or other agencies within their jurisdictions.
SWART: In talking about responding to incidents, is it important for our financial institutions to possess cyber forensic capabilities themselves? Or is this something that is better outsourced to specialized groups?
BONI: Certainly, I think there are pros and cons to any particular strategy. I think that depends on the institution, the size of their environment and the nature of their IT relationships, information and technology relationships. I believe that a certain basic level of capability is going to be a table-stakes element of the technology organization's capabilities now in the 21st century, but given the particular set of incidents, or challenges, that are very sophisticated or extensive, or a particular surge in those incidents, you are going to need access to additional capacity.
Even a sophisticated organization like ours that has an internal capability also contracts with other organizations to either augment or supplement. And I say augment as in, something might be standard, but we just have too much to process in the timeline that is necessary for our needs, or to supplement in areas of specialized experience, knowledge or skill that go beyond the normal platform elements that my team might be knowledgeable of.
So, I think the leaders of the technology and business managements really need to consider what is the right mix or internal, retained and on retainer, external resources to meet their particular challenges.
SWART: Bill, are there critical success factors for the effective management or governance of incident response?
BONI: Absolutely. I think governance is one of the perhaps less appreciated components of overall effectiveness of information technology. My experience with ISACA when I was in charge of the IT governance institute really opened my eyes as to the benefits of having structured processes that define the performance measurements and allow the technology management team to communicate in business terms with their key stakeholders.
Similarly, within the incident response and the security protection area, there is a need for that same kind of discipline and rigor in alignment to the values of the particular institution or organization. Left to their own devices, technology folks will do their best to do what they think is the right things, the right way, for the right reasons. But the governance process insures that all of the stakeholders are appropriately informed, have the ability to exercise the appropriate oversight, and provide direction and guidance to insure that the team delivers the results that are necessary for that organization.
SWART: Is there a key lesson that you've learned in your 30-year career that you could pass on to our listeners in terms of, how best to protect their intangible assets?
BONI: I think the first lesson is to have someone who actually is responsible for this from an operating perspective. Traditionally, and necessarily, within the US legal and regulatory, lawyers have to play a key role in intellectual property protection. Because they are in fact the most knowledgeable about the laws. However, to augment that legal expertise requires a specialized set of skills and experience that deal with the operating mechanisms that exist within information technology, that exist within the traditional physical or corporate security functions, and understand the HR, human resources capabilities and limitations of policy and process.
So, the combination of having the right policy, process, awareness and technologies is really the way to manage the risk to those assets that, in the 21st century, are increasingly the nature of how competitive advantage is gained and maintained. So, having people that have that skill set, having accountabilities for that, will go a long way towards building a program to be responsive to new challenges to those assets.
SWART: What skill sets should an information security officer be looking for in a new candidate today?
BONI: I think as with many technology leadership functions, it's increasingly important to be well-grounded in the business of the organization. And that the staff members would be part of the banking community. They need to understand how banks work, how they generate their profits, how they serve their customers, the value that they create in the communities they serve.
Absent that kind of grounding, the risk that a purely academic set of solutions might be implementing or advocating could really be harmful to the ability of that organization to serve its constituents and stakeholders. So, being well-grounded in business, as well as having a solid technical foundation, and a willingness to learn and adapt and grow with the challenges that we're going to face is a very dynamic field.
Saying that you have done this 20 years ago in an A-frame environment, therefore you are well-skilled to deal with the mobility challenges of the 21st century, unless you have been investing time and training, keeping up with the various developments both in the hardware and software as well as in the societal dimensions of how technology is used, people run the risk of becoming obsolete in their skill sets.
So having people who are willing to grow, willing to learn, is a key part of that skill set as well.
SWART: How would you evaluate the state of information security today? How good of a job are we doing at winning the war?
BONI: I'd say the good news is, we understand that the challenge is not about buying just the latest and greatest hardware or software, that that is going to be sufficient. The difficulty I think in many cases is that executive managements are still stuck in the 20th century risk management mindset. Most of the executive leaders of today grew up in, again, and gained experience in the 20th century. Whatever things, the fastest they existed was at the speed of fax. They would fax that information around. It was when they were getting their experience.
They have a very good â€¦ understanding of risk associated with fire, flood, civil disturbances, the damage to operations and work institutions in those contexts. I do not think 20th century executives are quite yet skillful, and haven't yet developed the gut instincts as to the real nature, extent, speed and the consequences that could attend to serious cyber incidents. As a consequence, that is an area where I think we're going to have a lot of learning take place.
We started to see that in some of the retail organizations, where they have been hacked, value has been extracted. Tens of millions of consumers' credit cards, information, was exposed to criminals and/or others for unknown purposes. And there is a sort of bemusement on the part of management saying well, how did this come to be? What was going on?
So the challenge, I believe, of the 21st century is really that we have got to get senior managements within businesses, within banks, within other organizations and government as well, to understand that this really is an area that warrants ongoing attention. It requires resourcing. And the failure to do so will, in fact, expose the organization to the kinds of adverse brand impact and consumer confidence losses as the worse physical incidents of the 20th century.
SWART: Thank you for your time today, Bill. It's been great information.
BONI: It's always a pleasure to be part of the community.
SWART: Thank you for listening to another podcast with the Information Security Media Group. To listen to a selection of other podcasts, or to find other educational content regarding information securities for the banking and finance community, you can visit www.BankInfoSecurity.com or www.CUInfoSecurity.com.