14,000,000 Attacks; Are Some By "CyberSopranos"?

Has your cyber security team “elevated its play” to handle 14,000,000 – that’s right 14 million – attacks monthly?

Or does your organization engage in “pain killer” cyber security?  

Do you know whether your organization’s network infrastructure and critical data being are being attacked daily by “CyberSopranos”?

Federal and industry leaders answered these questions and more during the Federal Executive Forum: CyberSecurity - 2 Years in Review broadcast on Federal News Radio and produced by the Trezza Media Group. (Video/Audio)

Jim Flyzik of The Flyzik Group hosted a distinguished panel of experts who discussed: securely sharing intelligence information; protecting critical infrastructures; new technology standards; and will there be a "Digital Pearl Harbor”.

On the panel were:

• Dave Bowen, CIO, Federal Aviation Administration

• Darren Ash, CIO, Nuclear Regulatory Commission

• Rob Carey, CIO, Navy

• Jim E. Finch, Assistant Director, Cyber Division , FBI

• Dean Turner, Director, Global Intelligence Networks, Symantec Corporation

• Dr. Eric Cole, Chief Scientist, Lockheed Martin

Pain Killer Security

From the industry perspective Dr. Eric Cole points out that government has two priority areas -- redefining cyber security today and creating the future of cyber security. “One of the huge problems today is we get so caught up on what I call ‘pain killer’ security where organizations go in and just throw money at a problem.”

Cole explains we have to step back and realize that security is all about risk to your critical assets. “So instead of focusing on buying a product, we have to say how does that solution reduce and appropriate risk?” says Lockheed’s Cole. “In certain cases there’s a big gap where there’s a problem, yet there’s no solution, so we are actually investing millions of dollars in advanced internal research and development on cyber security.”

NRC CIO Darren Ash urges that government make certification and accreditation (C&A) more than just a paper process. “You are dealing with risk; you want to get to that point of continuous monitoring.” Ash also points to another issue of making sure the “business side – including all of the stakeholders, Congress, the administration and agency leaders -- really understand and see the value of what we do as security professionals and as CIOs.”

End Point Security

The panel agreed that security is all about reducing the risk to critical assets and data portability. The Internet spawns global connectivity making data more accessible. Instead of in the past when your data was just on a server, now think of all the locations it’s on – a server, a PDA, a Blackberry, laptop computer.

Today most organizations have put most of their security effort in firewalls and network architectures designed to protect their servers. But really the efforts are to protect the data on their servers.

So what happens when that same exact data is put on a laptop? That laptop leaves an organization and is plugged into a hotel location or an airport. That’s why end point security is becoming a priority as well as all the ramifications the threat of identity theft brings.

“One challenge is definitely risk assessment and risk analysis. Security is about a trade-off between what it is that we need to do and what we can do,” explains Symantec’s Dean Turner. “So we have to spend more time when we are doing our risk assessments on classifying the types of data. Not all data is necessarily worth protecting; some data is more valuable and we have to apply the appropriate resources at the appropriate locations taking into account that risk assessment.”

Challenges Galore

Then there is the sheer volume of threats; and communicating that fact to senior management. Plus there is cyber crime, where you have a global decentralized network of criminals; maybe not exactly the “CyberSopranos" as Turner calls them, but a they have a level of sophistication.

Funding – or lack of it -- continues to be a complaint from many information security officers. But as FBI’s Jim Finch explains, “I’ve actually made the recommendation to those who claim they are not being funded properly that you have to develop metrics to show that what you are doing is not invisible, is not magic and it requires a lot of work. This way you can show your work and get the funding you know is so desperately need.”

Intrusions remain the number one threat. “My number at the FAA is 14 million,” says FAA CIO Dave Bowen. “There are 14 million attempts to access our network that we deny every month. This gets reported to our management team.”

Having this reporting mechanism at FAA has cut the incidence of personal identity theft and embarrassment to the agency in half over the last couple of years says Bowen. 

“Ease of use trumps security but embarrassment trumps ease of use,” warns Bowen. And to avoid embarrassment education -- especially of senior management on what the risks are -- is essential.

Navy CIO Rob Carey explains. “We have done a lot in trying to educate the very senior decision makers on the risks associated with information security and the investments required to maintain that.

“Once you have their buy in, you can then afford yourself the opportunity to work their budget issues, have their support, they understand it. I would tell you five to seven years ago, it was not a front burner issue for the Department of the Navy, it was an important issue but it wasn’t at the front. Now it has gotten everyone’s attention, they focus on it.”

Priority Rules

Their voices have finally been heard. Maybe it is because one Eastern European country was practically “taken down” due to cyber attacks; or maybe because government networks are being hacked relentlessly (e.g. FAA). Or maybe it's because people finally realized a cyber attack on a power plant can be just as deadly as a bomb.

Whatever was the trigger, they are finally being taken seriously. After years where some have said government has only paid “lip service” to cyber security, big money -- $7.3 billion proposed for FYO9 – is being invested in CyberSecurity – making it a government priority.

So what are some of these cyber priorities?   Read More

Justifying The Investment

Justifying the resources and the ROI; these are two issues that plague cyber experts. Because the best thing that can happen is nothing; and sometimes that doesn’t show up on a balance sheet.

As a society we tend to have a hard time getting out in front of threats and vulnerabilities. We are always trying catch up; coming up with the fix after the bad thing happens. Is that mindset changing? Read More

The Cyber Security Challenges We Face

Accessing the Internet while flying; most of us would love to, but it does present issues that the FAA has to address. Or Is your C&A process just a paperwork drill? How do you make C&A live? What about international laws governing Internet use? Are the world's criminals now our criminals? What about that data that you've protected on your network, but now is "out there" on a staffer's notebook or PDA? How are you managing risk? Panelists give their views. Read More