Why CXOs Must Become Better Informed About Cyber-Security

A data breach can happen at any time, any place, and from sources about which C-level executives may not even dream.

SAN FRANCISCO—C-level executives need to get with it and become better educated about how prudent cyber-security practices in networks and devices should be deployed and the overall critical value of tight security to their companies.

Why? Because if security doesn't get the right amount of attention in the C-suite, the business that CXOs could lose could well be their own.

These statements don't come from an analyst or theorist. They came from a CEO who's been there, one who has worked in both telecoms and security and knows exactly what it takes to protect an enterprise security system from bad guys inside and out.

"The use of the Internet is an essential part of doing business on a daily basis," Harri Koponen, CEO of the Finnish security development and products provider SSH, told eWEEK. "We can't continue to do business without thinking: Is this secure? Is this sound? Is everything OK, because your customer records are online? If you're not thinking about this part of the business, eventually you will destroy your business."

Breach Can Happen Any Time, Any Place

This is because a data breach can happen at any time, any place, and from sources about which C-level executives may not even dream. In fact, new methods to infiltrate systems in search of financial, personal and business information that can be resold or used in nefarious ways are being created on a daily basis by people motivated by huge financial payoffs.

A recent example of what can happen is that of Code Spaces, a now defunct code-hosting company that a year ago was hit by a hacker who accessed the company's Amazon EC2 control panel and took control of all its business data.

After the hacker obtained access to all the files, he held them hostage for a price. When Code Spaces refused to pay, he deleted everything, and the company was left twisting in the virtual wind, completely out of business.

This isn't a common event, but an attack like this can happen to anyone.

Koponen and eWEEK had a conversation at RSA Security 2015, the world's largest IT security meetup, which has about 30,000 people at Moscone Center here through April 24. Koponen and members of the SSH team attended several session tracks this week and came away a little puzzled about the program.

No Track at RSA for CXOs

"I'm really surprised that there isn't a track here specifically for CxOs," Koponen said. "This is a big hole in the program. C-level executives need to be aware firsthand about the cyber-defense of their company. This is extremely important. They need to understand what safeguards need to be in place and what their security can or can't do when an attack occurs. This is because attacks will eventually occur."

There should be no CEO, CFO, board chairman or audit committee head who's not thinking about this, Koponen said.

"They should be thinking about 'How is my reputation going to be affected if we are attacked, and our systems go down?'" he said. "This is because everything is on the Web."

An enterprise's job is not only to provide products and services for its customers but to also make sure that business transactions are conducted in a clean, efficient and totally secure manner, so as not to put any type of business or personal information at risk.

SSH Now in Its 20th Year

SSH, the parent company of which is based in Finland, is celebrating its 20th year of operation in 2015.

Secure Shell, or SSH, is a standard protocol used throughout the Internet, in virtually all mobile connected devices and in data centers. It is an encrypted network protocol for initiating text sessions on remote machines in a secure manner. This allows a user to run commands on a machine's command prompt without the user being physically present near the machine. It also allows a user to establish a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server.

Common applications include remote command-line log-in and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.

SSH keys can used by system administrators to log into remote computers without a password. Keys must be tightly managed, and those that have been outdated or unused must be disabled. The SSH company provides tools and services for those purposes; that's the company's primary business model.

SSH keys, like other security tools, can be used for malicious purposes when they get into the wrong hands. Certificate-management firm Venafi posted an analysis in 2013 stating that National Security Agency whistleblower Edward Snowden likely used SSH authentication keys to give his account privileged access to other servers in the network.

"This is why companies need to take stock in all their authentication keys, because they can stay around forever and be used for bad purposes," Koponen said. "Some companies have literally millions of keys lying around from over the years. They cannot be deleted, but they can all be permanently disabled using the right tools."

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...