Cyber Crime: New Threats, New TargetsInterview with Robert Richardson, Director of CSI
In an interview about current threats, Richardson discusses:
Richardson has served on the CSI staff since 2003, having worked IT in various capacities for twenty years. He's given keynote presentations on three continents, often speaking about the CSI Computer Crime and Security Survey, an undertaking he directs each year. Prior to CSI, he was Senior Editor of CMP's Communications Convergence magazine for two years, where his beats included telecom security, wireless, Internet messaging, and next-generation phone systems. Before that, Robert was a frequent contributor to magazines and Web publications such as Ziff-Davis Internet Computing, BYTE, Network Magazine, and Small Business Computing.
TOM FIELD: What are some of the top cybercrime trends?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Robert Richardson, the Director of the Computer Security Institute. Robert. thanks so much for taking the time to speak with me.
ROBERT RICHARDSON: Absolutely my pleasure.
FIELD: Robert. for people who aren't familiar with your CSI -- which is the first CSI -- why don't you tell us a little bit about yourself and your work please?
RICHARDSON: Sure enough. Well CSI, the Computer Security Institute, is a member organization. Our members are security professionals in various walks of life, both in corporate enterprises and in government and the non-profit sector as well. We have been around for 35 years, and what we do is provide security professionals with context for strategic decisions. So lots of security news out there, but you know just having the news if you are charged with having a security program isn't usually enough; you need to understand how it fits in. So there may have been Google attacks, but what does that mean for you as someone trying to protect a large organization?
FIELD: Well, that is great context; I talked up front about cybercrime trends. What concerns you the most so far this year when you put it into context?
RICHARDSON: So, our context is in part based on a survey that we have done for the last 15 years, which is the longest running survey on cybercrime statistics, and one thing you learn from doing it that many years is that a lot of the top problems remain top problems.
The most common occurrence in organizations today is malware attacks of one kind of another, and a lot of that kind of news stays the same. But one thing that does seem to be undeniably true is that the sort of forces behind these attacks are getting increasingly organized. Google is kind of the poster child for that, or the attacks on Google, but we are seeing that in lots of other situations as well that whether it is organized crime or it is a government hacker, there are fewer loners out there nowadays.
FIELD: Robert, a couple of times you have mentioned the Google case so I wanted to ask you: What ramifications do you see coming from that?
RICHARDSON: Well, I think some of the ramifications are ones that we have tried to press home for a while now, which is that you have to be constantly mindful of the vulnerabilities that you have, especially if you are running older software. And I say "older software" simply because the particular sort of main spring of this attack. There are a lot of different elements to it, but an important part of it was a so-called zero day attack on the Internet Explorer version 6, and of course by now we are up a couple of versions ahead of that. Just generally speaking you are going to avoid some of the vulnerabilities by not being on those older platforms. So that is kind of the mundane "we told you so" ramification.
Additionally, I think it is clear that again this was, regardless of who in China or wherever orchestrated it, that it was orchestrated. It was a multi-party attack. and there was apparently a little bit of a trial run of some of the attack mechanisms several weeks prior and that lots of different kinds of corporations were used at various phases in this attack. So just the sense that people are out there kind of randomly scanning and checking locks to see what is open and steal your radio that sort of crime, you know that is still out there, but it is shifting so that if you are a big enough organization that you are a target, or if you are a government entity, you have also got to be watching for things that are not just crimes of opportunity.
FIELD: One of the things that we have seen in the last year is an uptick in online crimes against small to mid-sized businesses through ACH fraud. In your work, what types of organizations do you see being especially vulnerable now?
RICHARDSON: Well. I think it depends a little bit on what you mean when you say vulnerable. I think there is vulnerable, and then I think there is likelihood to be a target, and I think likelihood to be a target is to say 'Who is out to get you in a concentrated, focused way?' That I think is largely the thrust of that appears to be large corporations and governments, but on the other hand, you know there is a lot of crime out there; there is plenty to go around, and I think smaller organizations are more vulnerable in large measure because we know that the platforms that a lot of the business is done on (that is to say Windows and the various mainstream browsers) have vulnerabilities. So as you start to conduct more and more of your business that way, you are vulnerable, and you may have fewer resources to dedicate, and statistically we know that organizations very often don't dedicate much of their IT resources to the problem of security.
FIELD: Robert, I want to take you in another direction and talk about Web 2.0 technologies. Everyone these days is mobile and social. What are the security implications of their activities with these technologies?
RICHARDSON: You know there is a social dimension, as you mentioned, that sort of rising tide of things like people using Twitter, and the greater propensity for them to be tricked into giving away information that can be used to attack them.
There is also a technical dimension that I think is important when you are thinking about Web 2.0. Web 2.0 as a name gets used in both ways, right? It gets used in terms of social dimension -- everybody is on Facebook. But in my mind there is also a technical dimension, which has to do with moving applications into the cloud and sort of on the delivery end of it with having multiple components, as I say "mashed up" in browsers.
There are technical issues I mean the social issues don't' go away, and those are things that have to be dealt with, but you are going to have a harder time fixing them if there are underlying technical problems that make real security difficult or impossible. And I think taking those two elements separately (cloud apps and browser interfaces) in the cloud part of the world, I think the best you can say is that security is kind of a question mark.
There is not a big track record there, and we certainly know that when our colleagues in the penetration testing part of the business turn their sites on something like the Google app engine, they do find things. And we hosted a presentation a while back where we had demonstrations of some of these things and they are real, and to be fair, the cloud providers are really working hard to get it right, and they are making progress.
On the browser side I would say things are not a question mark, and the answer is not good. There is a sort of fundamental problem in the trust model of browsers that has to do with keying it to the domain that the various pieces come from, and so far nobody has come up with a real good solution for that, and that is a big opening that as soon as people start mixing components together, there are all sorts of attacks that are made possible.
That's a really long answer, but it is a complicated area, and I think people are aware of social implications, but there are also some big technical issues lurking there.
FIELD: When you look at different organizations, Robert, where do you see some that are doing some smart things to address some of these threats and vulnerabilities you have outlined?
RICHARDSON: Well, I think banking and the financial industries, the financial industry in general, was a little slow to wake up in previous years and took some sort of real beatings in the industry press over it. But, frankly, I think it is time to start patting them on the back a little and saying actually they really have -- while still trying to deliver services that consumers could understand and use easily -- tried to sort of tighten up their operations, and with some success. I can't say the same for the medical profession yet; there is still a lot of work to be done there.
FIELD: How about the U.S. government?
RICHARDSON: Well, you know if you are talking about the civilian side of things, I simply think the best you can say is that the government appears to have suddenly smelled the coffee and realized that they needed to do something definitive. The best that they have done sort of prior to the Obama Administration is administer a sort of self-testing regime and give themselves failing grades for the most part, year over year. Now I think there is more commitment to have a sort of a process that actually leads to improvement rather than consistent failing grades; whether that achieves its goal, I think it is pretty early to tell.
FIELD: Robert, one last question for you. Given the types of threats that we have discussed, what can organizations be doing right now to further minimize their risks?
RICHARDSON: Well, I think the security professional knows a lot about certain baseline security elements, kind of traditional things like thinking about network perimeters and establishing controlled gateways with firewalls and the like, and this is all kind of hum-drum stuff in the security industry. But any company that hasn't got that stuff under control -- and there are plenty of them - needs to do that right away. And some of the government agencies fall into line with this as well. They need to get these fundamentals right.
Beyond that, particularly at organizations that develop their own in-house applications, one area where there is an enormous opportunity for improvement and where there has been a sort of long time lack of interest, is in the area of really focusing on creating secure applications. At the end of the day, most of the attacks that we see in some way or another they are taking advantage of something that was done wrong in the software.
And there is a lot of software that you buy and use, and you don't have a lot of control over whether it has got sort of ill thought-through approaches to security, but when you are writing your own, you have some options. It is hard to do, but I think that is a really key area.
FIELD: Robert, great advice. I appreciate your time and your insights today.
RICHARDSON: It has been a pleasure.
FIELD: We have been talking with Robert Richardson, the Director of CSI. For Information Security Media Group, I'm Tom Field. Thank you very much.