Washington, D.C.—Hackers at all levels have new capabilities at their disposal, said Leo Taddeo, former special agent in charge of the Special Operations/Cyber Division of the FBI’s New York Field Office. Taddeo is now the chief security officer at Cryptzone, which is entering the U.S. market after years of successful growth in Europe. “Unfortunately,” he said, “there’s no improvement in our ability to deter that capability.”
I interviewed Taddeo before his presentation at the International Spy Museum here. Taddeo, who is in the middle of a cyber-security seminar series sponsored by Cryptzone., said that there are a number of factors that make cyber-security more difficult now than it once was. “It’s hard to deter China in anything they’re doing,” he said.
But the problem goes far beyond just nation-states hacking for military and commercial intelligence. “At the low end are the script kiddies, the hobby hackers,” he said. Those are people who break into networks for recreation, or perhaps bragging rights, but are now getting much better tools to help them do it.
In the middle are the cyber-criminals who are hacking for money, and who are now getting their hands on information and software from nation-states, and are learning how to use it.
Complicating the task of keeping the hackers out of networks is the fact that they realize the risks are very low. While the penalties for getting caught can be severe, the fact is that despite the concerted efforts of law enforcement, most hackers are never caught. Because the risks are so low and the level of danger is so high, Taddeo said that it’s critical for enterprises to make sure their defenses are up to the task.
Part of the process of being up to the task is having your company’s leadership on board, but Taddeo cautioned that getting managers on board can’t be done just by presenting them with a ROI presentation. “It’s not an ROI calculation,” he said. Worse, he said that when security is presented as an ROI calculation, it depends on factors that simply can’t be known, and because of that, the calculation can’t really make sense.
In reality, security is about protecting your brand, Taddeo explained. He said that corporate leadership can usually understand the damage that will come to their brand, and as a result to their company, in the event of a major breach.
This is important because building an enterprise security solution requires significant investments in structure, both of the security and of the enterprise itself. Depending on the company, it may require breaking open silos of information, it may require building communications networks so that managers in different parts of the company can talk to each other, and it needs to be a structure that’s resilient so that a breach in one place doesn’t place the entire enterprise at risk.
“A lot of companies spend money on perimeter defense,” Taddeo said, “but more needs to be spent on hardening the interior.”
Taddeo echoed the words of former cyber-security director Richard Clarke, who in an interview with eWEEK earlier this year, said that it was pointless to think that perimeter defenses could keep hackers at bay. At the time, he said, “The bad guys are already in your network.”
Former FBI Cyber Chief Sees Threat Outlook Getting Worse
Taddeo said, “Everywhere we look we find the Chinese and everyone else.
So what’s the answer if the bad guys are able to invade your network seemingly at will? In short, you make it so that once in your network, they can’t do anything.
“Use the principle of least privilege,” Taddeo said.
That means giving users access to only the network assets they actually need, and not to anything else.
Limiting access means designing your network for micro-segmentation, which avoids putting unrelated assets on the same network segment. Taddeo said that while micro-segmentation makes administration more of a challenge, there are tools for administrators that can help with this, including products from his own company.
However, he said that it’s also critical that once you design your network, you do an honest assessment. That requires that managers in different parts of the enterprise communicate with each other, and in the process, help with the assessment. Then, Taddeo said, “have someone else take a look at it.”
If I took one thing away from my conversation with Leo Taddeo, it is that at its best, security is a work in progress. Trying to create a fortified perimeter defense against the hackers is as pointless as it was for the French to build the Maginot Line in the 1930s. While those defenses may have been impenetrable, France was invaded anyway because the enemy simply went around those fortifications.
Instead, the defenses need to exist in depth, and they need to be varied in their approach. That way, when the hackers figure out how to get past one defense, they will then run up against another one that’s completely different. But those defenses must be a work in progress so they can adapt to the threat landscape as it changes. Otherwise, the attackers will simply find a way around them.