Government agencies and the private sector are coming under additional pressure to increase their vigilance and to implement new technologies to protect sensitive information and critical infrastructure.
One of the prominent conclusions that emerged from the September National Security Agency (NSA) Trusted Computing Conference & Exposition in Orlando, Fla., was that Trusted Computing technologies would play an important role in making cyber-defenses strong enough to thwart the latest cyber-threats.
Consumers and organizations are facing a constant barrage of attacks, and the NSA is calling on the security industry to do “something different” to address the problem, Brian Berger, executive vice president at Wave Systems and a member of the Trusted Computing Group’s board, told eWEEK.
People and their devices around the world are being targeted by spear-phishing, social engineering, malware exploiting zero-day vulnerabilities and crimeware, Anthony Stramella, special assistant to the director at the NSA’s Central Service Threat Operations Center, said in his opening keynote speech at the conference. Mobile security is a concern, as malicious apps can collect personal data and transmit the harvested data to remote servers.
“How much security is built into a 99-cent golf app?” Stramella asked his audience before adding, “And people are using these devices for banking and everything else too.”
Malware is becoming more sophisticated, he said, with more than 68,000 tools available for developing malware and launching attacks-many of which don’t require special technical knowledge or skills to use. Stramella also said that people are exposing too much of their personal information online, putting them at risk for targeted attacks.
“The collective impact of his message was that the bad guys have something of an upper hand in a world in which people are surprisingly trusting and careless in their online behavior,” wrote Neil Roiter, a contributor to the Wave Systems blog.
One of the central messages of the conference was that it’s time to take advantage of Trusted Computing technologies to develop security countermeasures, said Wave’s Berger. Trusted Computing uses hardware-based security to protect the endpoint, network, data, mobile devices and other non-PC computing devices.
Going Mainstream
Two such technologies that are starting to go mainstream include Trusted Platform Module (TPM) to protect PCs and Trusted Network Connect (TNC), an open architecture for Network Access Control.
TPM is a secure microprocessor on the motherboard that can store cryptographic keys to handle authentication and encryption. Major PC vendors support the chip, and most modern operating systems can take advantage of its capabilities.
Computers with built-in cryptography have been around for almost 10 years, Robert Thibadeau, senior vice president and chief scientist at Wave Systems, said at the conference. More than 500 million computers include the TPM encryption chip, and self-encrypting USB drives are readily available on the market, Thibadeau said.
Cryptography is necessary because strong passwords aren’t enough at a time when powerful computers and password-cracking tools have made it easier and faster to brute-force passwords-even a 14-character alphanumeric one, said the NSA’s Stramella.
Using TPM for authentication would protect against these brute-force attacks, as the private keys are stored within the hardware module, making it harder for attackers to expose or steal them.
However, most enterprises aren’t using the built-in security features. Only a relatively few actually use TPM as the primary means of authenticating users or protecting data stored on PCs.
“It’s only recently that TPMs and other elements of Trusted Computing have evolved to a point where they can be built in and turned on,” said Stacy Cannady, a distinguished technologist at IT consulting company Digital Management.
However, now the NSA is telling the industry, “Pay attention, learn and do something,” noted Wave’s Berger. “Don’t just absorb the information.”
More Secure, Less Costly
TPM is more secure and more cost-effective than software-based authentication. It’s also more manageable and less costly than using hardware such as tokens, smartcards or biometric readers, Berger contends.
In the past, there weren’t a lot of large-scale deployments of Trusted Computing. That made a discussion at the conference of PwC’s recent 85,000-seat implementation all the more intriguing, he said. PwC began the project in 2009 and expects to use TPM to authenticate up to 80 percent of its users across 140 countries by the end of the fiscal year, said Gautam Muralidharan, engagement manager for security advisory services with PwC.
The fact that TPM was already in 95 percent of corporate laptops was a factor in favor of the project, he said. USB token-based authentication would have cost three times as much as TPM to deploy and manage, while a smartcard implementation would have been double the cost, Muralidharan added.
Here’s another conclusion reached at the conference: The need for highly automated and hardware-based security defenses is growing because the threats are becoming more numerous, more diverse and often highly sophisticated.
The United States is one of the most Internet-connected nations in the world, the NSA’s Stramella said in his keynote. He pointed out that there are plenty of low-profile threats that are as dangerous to both consumers and enterprises as sophisticated attacks are.
“You need to think like the adversary,” Stramella said. “That’s so important to develop counter-measures against the threat.”
The team at the NSA’s Threat Operations Center looks for and detects sophisticated threats-which is no easy task considering the volume and speed of data coming into the NSA for analysis, according to Stramella. The NSA uses extremely high-end supercomputers to decrypt and analyze the information.
The threat landscape has changed, he noted. In the past, there was time for the NSA to respond to a cyber-attack, even if there was only a short delay between when the attack was detected and when the NSA could mobilize countermeasures, Stramella said. These days, the NSA knows there is a major cyber-attack only when critical systems fail, he added.
“The threat is huge, it’s real and it’s growing, and if you’re going to defend against the threat, you need to know the threat,” he said.
After reviewing some of the known threats and recent high-profile incidents, Stramella observed, “These are the things that everyone knows are going on. Can you imagine what sophisticated adversaries are doing?”