Q&A with Myself - Thoughts on Sony, DOD, RSA, IMF & Lockheed Martin
Q: Are the recent hacks against Sony Playstation, RSA SecurID, IMF and Lockheed Martin caused by unrelated entities, or is this a coordinated attack?
A: There are definitely different groups operating here, each with their own motivations for the hacks. Sony decided to press legal charges against some hackers and the counter-response was retaliation. On the other hand, the breaches related to the RSA SecurID products and the hacks on IMF & Lockheed Martin have evidence of state-based attacks. Regardless, the series of breaches we’re seeing isn’t going to let up anytime soon. Just yesterday the Pentagon confirmed that some of our most closely guarded military secrets were stolen by spies who hacked into DOD computers.
It should also be noted that this is nothing new – what’s new is the disclosure of the breaches, not the attacks or breaches themselves. Congress needs public support to get cyber security legislation passed (Langevin’s bill) and they’re being lobbied hard by the private sector. We should also be aware that the administration is preparing the public for a cyber attack, both US-driven like Stuxnet, as well as an inbound politically motivated attack on something like the US power grid. The bill in Congress calls out specific measures for protecting the power grid and other critical infrastructure like nuclear power plants. The Pentagon hacks were discovered months ago, but are just being released now to step up the pressure on Congress and to ready the public for the US at war in a new theater – cyberspace.
Q: Will anyone’s data be more secure in the face of this onslaught?
A: It’s no doubt that data is woefully unprotected. The approach that so many organizations often take has been reactive --patching a gap or misconfiguration temporarily fixes a problem yet offers nothing preventative. Organizations are also not following fundamental security principles like defense in depth and are over-relying on single points of failures such as the SecurID authentication solution. Universally, we underestimate the importance of developing secure software which is the largest source of security vulnerabilities. 90% of attacks occur at the software layer. That is because hackers have two ways to get at your data: Through the network, which organizations spend considerably more money protecting and are better at hardening, or applications, written by developers with very little security skills.
We have the power to make our data exponentially safer, so why don’t we? Maybe because it requires a fundamental shift in the way we think about writing software and accountability. Being proactive about data security requires an overhaul of priorities, and this can be accomplished by training developers, designating an executive to be held accountable, consistently testing software, and having a current knowledge base of the always-morphing threat and vulnerability landscape. Software runs our world and the data security problem will never be solved until it’s addressed at the developer desktop. And it’s not a technology problem – it’s a people and process problem.