A Conversation with Shon Harris on IT Security
The threat landscape that companies face today is not the same that they had to deal with even five years ago. Today’s threats are not the lone hackers but organized, trained, and funded groups that are backed by organized crime rings or nation states. In this interview, Shon Harris further defines this threat and how corporate IT managers can mitigate against them.
Please provide us with some background information on your organization and your industry.
I work in the information security industry, which has critical impacts on businesses, organizations and nations. Our society only increases its dependence upon technology, and properly securing it can come down to the life or death of an organization.
The information security industry is relatively new compared to other industries as in financial, medical, and telecommunications. The industry is currently going through many different “growth pains” as it moves from a chaotic and infant entity to a more mature and disciplined space. I and my company have been seen as visionaries in helping some of the largest corporations and government agencies secure their most precious assets against the largest threats they face today.
Logical Security is going into its 8th year of existence, while I have been in the industry for 15 years. My company specializes in risk management consulting services and training. We build enterprise-wide risk management programs that not only allow our customers to identify their vulnerabilities and stop their adversaries, but correlate and integrate information security issues into their overall business decisions and vision.
What are some of the primary challenges your industry faces?
The threat landscape that companies face today is not the same that they had to deal with even five years ago. Today’s threats are not the lone hackers but organized, trained, and funded groups that are backed by organized crime rings or nation states.
Attackers are no longer interested in spreading benign viruses, but have very focused goals of obtaining an organization’s most sensitive data as in social security numbers, credit card information, medical data, and privacy and financial information. The attackers are using our technology against us and we are constantly being outsmarted.
Companies and government agencies are finding it difficult to keep up with a threat that can morph and adapt at the rate of speed that is currently taking place. Anti-virus products capture around 23% of the malware that is on our systems, meaning that most systems are infected and being used by an underground criminal without our knowledge.
Organizations have a false sense of security because they have anti-virus, firewalls, intrusion detection, intrusion prevention and other technologies in place. While these are necessary defenses, the enemy is circumventing them and covertly embedding themselves into the technology and devices we use day in and day out.
What solutions are you contributing to overcome these challenges?
I have several roles in the industry: author, consultant, instructor, and speaker. These are the different avenues I have to educate and help the industry identify its real risks and come up with real solutions that are efficient and effective.
I have written books that are used in the trade industry and text books that are used in some of the top information security graduate programs offered in universities today. I write magazine articles and online whitepapers that cover emerging technologies, security best practices, industry trends, information warfare, and more.
I consult with many of the top Fortune 100 companies on topics as in vulnerability and risk management, intellectual property protection, data leakage, secure e-commerce, identity management, cryptographic solutions, business continuity and more.
I have trained thousands of people in the last 10 years on material based on my bestselling book, and I talk at conferences around the United States on various information security topics.
I am currently working with the Department of Homeland Security (DHS), National Security Agency (NSA), National Institute of Standards and Technology (NIST), and MITRE on my new book that explores how the industry can enumerate, automate, and measure how we are carrying out security practices today.
So I write, teach, and consult on emerging threats that our companies, organizations, and nation face along with the necessary countermeasures.
What do you feel is the most important message to convey to individuals?
We are not as safe as we think we are. The amount of bank and credit card theft that takes place increases dramatically each year. Identity theft is the most prevalent white collar crime worldwide. Our technological defenses (antivirus, IDS, IPS, firewalls) are being either bypassed or circumvented.
The threat organizations face today is referred to as the Advanced Persistent Threat (APT). This means the attackers are skilled, patient and organized. Their goal is not to disable businesses’ functionality, but siphon off sensitive information covertly so that competitive espionage and fraud can be carried out in the background without anyone knowing about it.
Criminals can carry out their activities anonymously, which makes it hard to know who is attacking you; the criminals may be in countries such as China or Russia, which makes it hard for law enforcement to investigate, and their attacks are becoming more sophisticated, which makes it harder to defend against.
While education and awareness is not the sexiest part of security, it is the most critical. If company owners and individuals understood even the most common and basic ways that attackers enter their computers and networks, they could carry out more useful defenses. Education takes more than just 30 minutes of security awareness training annually; it needs to happen on continuously. Company owners and officers should demand to be briefed about security issues that threaten their environments monthly if not weekly. Security risks should be integrated into the C-level business decisions. Security and how it affects the organization should be discussed at the board level. Organizations should invest in continuous training for their security IT personnel. The enemy is getting smarter, and so should we.
How has the information security landscape evolved over the last 10 years?
Our networks have moved from centralized homogenous closed environments to open distributed heterogeneous environments. We have not only connected our networks to the Internet, we connect smart phones, laptops, iPads, wireless devices, USB devices, and more to our precious networks, which expands each and every end point that is open for attack.
Over 70% of most companies’ financial transactions are happening over the Internet in some fashion of e-commerce. We move every type of sensitive data that is available over some type of digital communication link every second. Things as large as your power grid down to things as small as a pacemaker are dependent upon technology, which means they are open for attack.
Our life is continuously being enriched by technological advances, but these advances open us up to more types of threats on our way of life.
How have the threats that companies face today changed over the last five years?
Hackers used to be just annoying, and the cost of dealing with them was relatively low. They caused small problems, such as defacing websitesversus the competitive espionage, fraud, and organized crime that takes place today.
We refer to the new type of threat as the Advanced Persistent Threat (APT). APTs differ from the regular old vanilla attacker in that the threat commonly comes from a group of attackers, not just one hacker, who combines its knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. The “advanced” aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The “persistent” component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded which makes it the biggest threat of all.
Why is it so easy for hackers to infiltrate our computers and networks?
While many organizations still do not practice some of the most basic security practices fully (password protection, encryption sensitive data, etc.), it is getting harder to locate the entry points that attackers use and identify their malicious activities once they have gotten through those entry points.
Attackers change their MO as companies and users get wise to their tactics. For example, the phishing attacks that include fake emails from supposedly reputable entities that tricked people into clicking on dangerous links have decreased since more people have been learning about these types of attacks. As more people are learning about the dangers of opening email attachments, for example, attackers are moving onto attack types that people are not aware of. Just like any type of crime, it is a cat and mouse game. As the cat gets smarter, the mouse has to change its tactics.
What the most common fallacy in the information security industry?
Just because you have anti-virus and other types of technology to scan and identify malware and attacks does not mean that you are fully protected. The attackers know exactly how different anti-virus and similar products work and they craft their malware and attacks to not be detected by them.
Attackers come up with new ways of attacking a system; then the anti-virus vendor comes up with new signatures to identify those attacks, so the attackers come up with newer attack methods and the cycle continues. It is hard to stay in front of attackers when they are driving the bus on innovation.
Millions of computers are infected with programs called bots, which is short for robot. Once a computer is infected the attacker can do anything that the software bot is programmed to do:
- Capture keystrokes as the user is typing
- Siphon money while a user is carrying out on-line banking activities
- Attacker other computers
- Take screen shots of what the user is working on
- Turn on the webcam and watch and record the user
- Mine the computer for passwords or credit card numbers
Another fallacy is to think you are not important or big enough to be a target. The largest targets for attackers right now are midsized and small companies. These companies do not commonly have a security staff and security technology and practices that the larger companies have. This level of company is currently the most under siege.
Is it going to get worse before it gets better?
Probably. Hacking has been taking place for years, but it has recently evolved to being more criminal in nature. Since more and more attacks are financially driven, the attackers have become more determined and organized.
The most precious asset to companies is their data, which is always in some type of digital format. If it is in a digital format, it is vulnerable.
There are several types of data that an organization may or may not be aware that need to be protected. This data includes intellectual property, social security numbers, medical information, merger and acquisition plans, financial projections, pre-launch product specifications, credit card numbers, source code, marketing material, and more. Losing this information, either through loss or theft, can cause a company to be faced with law suits, regulatory penalties, loss of their customer base, Federal Trade Commission investigations, loss of brand and reputation, and even bankruptcy.
Organizations are getting better at identifying and locating their sensitive data and implementing controls at where it residesbut they have a hard time following this sensitive data as it transverses their networks and others. Let’s say that you have sensitive data that is centrally located in a database with layers of controls. The operating system and database application are controlled, and you even have a host-based IDS installed on this system. Now your employees need this data to carry out their daily tasks, so they collect pieces and parts of this data and store it in PDF files and spreadsheets, e-mail it out to business partners, save it on their laptops so they can work on it at home, or copy it to a USB drive. Now you have your data spread out in several different places that are not under your control. Since they are not under your control, they are properly not protectedwhich makes it a lot easier for the adversary.
What should individuals and companies be doing to reduce their information security risks?
Awareness is the number one step. You cannot protect yourself from a threat if you don’t realize what it is and that it can happen to you.
Business owners and C-level executives should require their security technical staff to provide them with weekly reports that illustrate the organizations current security posture. This should include the system and network vulnerabilities and associated risk scores for these vulnerabilities.
IT and security personnel should attend more than just one training session a year on what they need to know to protect their infrastructure. Employees should go through quarterly awareness training, instead of just annual training.
From a more technical view, every organization should do the following:
- Develop a robust enterprise security architecture including policies, procedures and standards.
- Identify the company’s most value able assets so they know what has to be protected first.
- Practice defense-in-depth, which means deploying layers of countermeasures instead of just relying upon one type of technology to protect the network.
- Identify all the entry points attackers can use to penetrate the environment so that these holes can be plugged.
- Carry out quarterly vulnerability, penetration tests, and audit procedures to identify vulnerabilities in a timely manner.
- Identify how data is leaking from the environment and implement Data Leakage Protection technologies.
- Properly control the external devices that can be plugged into the network (smart phones, laptops, USB drives, wireless devices).
- Carry out proper credential creation and protection.
Where are we going in the information security world?
We are currently working to automate our security products and tools in a standardized manner. The more security practices we can automate, the more we take out the human elementwhich is slow and error-prone.
We are advancing our technologies so that they can directly communicate to each other and create what is called a self-defending network. The networks will be able to react to threats and attacks in real time, versus the manual way we deal with attacks today.
While it is still 10 years down the road, we will be eventually obtaining situational awareness (SA) of our environments. Once our security tools are standardized and automated, we will be able to use them all in an orchestrated manner to view and understand our networks in a holistic manner.
SA is the understanding of complex environmental elements, there meaning in specific contexts, which allows for successful decision-making and projections of what is around the corner.
What role do you see your company playing in the upcoming future in your industry?
Currently my company is working with MITRE, NIST, DHS and the NSA on developing a book series and educational track that focuses on how our security tools and practices can take place through standard automate methods to create self defending networks. Since attacks on systems and networks happen in real time, our protection against these threats must also take place in real time. Standardized automation is the foundational component for situational awareness.
Logical Security consults with some of the largest corporations and government agencies on how they can move their risk management efforts to more streamlined, efficient and effective methods. Logical Security provides consulting and education to help these entities carry out vulnerability assessments, enterprise security architectures, and enterprise-wide security programs.
While our adversaries advance in their techniques, we work with companies on not only how to defend against thembut stay ahead of them so that the attacks will either not cause extensive damage or not take place at all.