DALLAS—Sometimes unanimity is refreshing, but not when panel after panel at the Metro Ethernet Foundation’s GEN15 conference here delivers the same depressing news. Despite all the work that’s been done to improve enterprise and network security, the picture is far worse today than at any time in the past.
Timothy Wallach, supervisory special agent from the Federal Bureau of Investigations Seattle field office cyber task force, said that the level of criminal activity attacking enterprises in the U.S. has reached an all-time high.
Wallach also said that despite the worries about insider attacks, “those are only a small percentage of the attacks we see.” He said that the vast majority of attacks on businesses are criminal activity seeking to steal information from companies that can be used by competitors or that can be sold on the dark Web.
While criminal actors are the single biggest source of threats, there are plenty of others, Wallach said, including political activists who want to disrupt businesses for some political gain or to make a point.
He also listed nation-state actors who will attack an enterprise, frequently as a means of gaining access to some other company with which they do business. “No one is immune from these attacks,” he said.
What makes the latest attacks so serious is that perpetrators are better funded and usually more skilled than they have been, but Wallach also noted that even relatively unskilled attackers have access to sophisticated tools to break into networks and to launch attacks. He said that it’s not unusual for IT managers to find that their networks have been infected for years.
Stuart McClure, founder and CEO of Cylance, speaking on the same panel, said that once security managers start looking for threats that already exist on their networks, “It’s like turning on a black light in a hotel room, you have to be ready for what you’re going to find.”
He said that it’s not uncommon to find that the hackers have penetrated far more of a company’s network than anyone realized and may have been stealing information for years. “You might wish you hadn’t looked,” he said.
During an earlier panel discussion, Ethernet inventor Robert Metcalfe, said he’s been trying to encourage better security for networking, saying that in some instances the Internet of Things was going to be a significant weak point. He said that better authentication should be designed into embedded electronics. Metcalfe noted that such security problems were going to be growing in importance as the IoT becomes more widespread.
IT Managers Struggling to Keep Up With Cyber-Threats: Security Experts
McClure agreed, and told of one test he ran in which he was able to hack into an insulin pump. The pump, which is designed to regulate insulin delivery to diabetic patients automatically using an embedded wireless blood glucose sensor turned out to have a back door.
He explained that the manufacturer designed the pump so that it would only talk to the sensor using a specific serial number, but to make testing easier at the factory, the serial number “999999” would also work. McClure said that he would have been able to force the insulin pump to deliver too much insulin, killing the patient.
He said that when he revealed this to the manufacturer, they seemed to be unsure of what to do about the problem. But then the manufacturer said that the security hole was actually a feature because it made testing easier. Eventually the manufacturer understood why this was serious, and has since fixed those insulin pumps, but it illustrates the problem and the importance of getting IoT security right.
Unfortunately, the problem of security at all levels persists. Wallach said that in some cases device manufacturers realize that security is important, but they have trouble gaining management approval for security measures because of cost considerations. McClure said that the only way to solve the cost problem is to design security into devices from the beginning. That way, he said, the cost of security wouldn’t be seen as an add-on.
So what about those insider threats that seem to have become so visible lately? Even though the FBI doesn’t see those as often as they see criminal activity, they’re still important. Worse, they’re very difficult to defend against. “They know the system,” McClure said, “they know where the important information is kept and they know how to get to it.”
Still, there is some hope. “The defenders are getting smarter,” McClure said, but he noted that the picture isn’t as bright as anyone would like. “The attack surface area is so large that we’re basically janitors trying to clean up at the end of the day.”
The answer, Wallach said, is to focus on things that IT managers can change. That includes shifting focus to the endpoint because that’s where the attacks are aimed these days. He pointed out that while perimeter defenses aren’t the only answer, they are part of the solution. “There’s that old notion of defense in depth,” he said.
That means that the only way that security will work is to deploy it in layers so that no single attack can get to everything.