A Strike for Security
Stacking the Cyber Deck
Just as a doctor aims to stack the deck in a patient’s favor by using the appropriate medical tools, so are executives looking to ensure their IT systems will win today’s increasingly complex cyber battles. To help guide these efforts, CSC has released a white paper, called “The Security Stack — A Model for Understanding the Cybersecurity We Need,” that suggests a four-layer model to visualize today’s cybersecurity challenges and protect systems against attacks.
Proposed by CSC cybersecurity experts Carlos Solari, Dean Weber, and Victor Harrison, the interrelated layers provide an integrated framework to follow. The paper also cites upcoming innovations to look for that will further strengthen an enterprise’s defenses.
The first layer, called “Assured Systems and Content,” speaks to the need for security as a primary consideration at all levels of a network’s design — one that is appropriate to the risk profile. For example, a consumer products retailer would not need the same level of security as a defense contractor. This layer involves a developer’s activities in architecting security and privacy as part of an overall solution, whether it is the software code in an application or the need to ensure that personal information is encrypted.
The second layer, the “Integrated Security Overlay,” defines the need for security-specific technologies, like firewalls, that span both networks and applications, while the third layer, “Intelligence,” defines the correlation of sensor information and security events to develop a picture of what security-related issues are happening within the network. The fourth layer, “National Cyber Response,” covers how public and private sectors can work together to thwart cyber attacks.
“The industry has not thought of security this way before,” says Solari, CSC vice president, Cyber Technology and Services. “To protect systems, we need to think of security as comprised of these layers, and that all layers need to be present to gain a sufficient level of security in today’s environment.”
by Jenny Mangelsdorf
Today’s cyber threats and crimes continue to escalate in sophistication and the danger they pose. Simultaneously, while organizations’ IT continues to spread outside the traditional enterprise, businesses and the public continue to expect private information to stay private.
For more than a decade, governments and corporations have turned to CSC’s StrikeForce team to determine their current risk, ensure their applications, networks, and processes comply with security guidelines, and discover if their systems are secure or have been compromised.
The need for StrikeForce is real. The list of companies worldwide that have been affected by cyber attacks reads like a Who’s Who. Just in the first quarter of 2010, more than 325 million “attempts to infect users’ computers in different countries around the world were recorded” — a 26.8 percent jump over the previous quarter, according to a Kaspersky Lab report1.
Operational change increases challenges
Changes in how organizations operate compound the challenge. In the past, an executive’s main security concern revolved around disgruntled employees entering a building and accessing the company mainframe. As workforces become more mobile, systems expand past their traditional enterprise, and as applications, services, and storage move online and into the cloud, security issues become more complex.
“Allowing workers to be mobile and use the cloud allows businesses to grow and become more flexible. However this mobility and the move to the cloud means that in many instances they no longer have control of key elements of their infrastructure, or more importantly, their data,” says Graham Logsdon, deputy chief technology officer for CSC’s Security Solutions organization. “And even though critical data assets no longer sit inside of the protected physical domain, they’re still responsible for protecting that data.
“This is a concern because in many instances their liability has increased today – a result of new government and industry regulations pertaining to data loss and compromised data.”
This fact hit home last year for one major financial company that discovered its systems were being hit by data thieves. Executives also discovered that it was possible the thieves had been stealing data for more than a year. Since then, the corporation has entered into settlement agreements totaling more than $100 million.
A complex risk picture
As executives use business requirements to drive their use of information technology, one predominantly overlooked element is data integrity, says Logsdon. By giving the salesforce laptops that contain client information, for example, businesses need to consider the risk they’re introducing to their organization.
If a laptop is stolen, can thieves use the data in it to blackmail the company’s customers? That’s a simple example of what executives might consider when reviewing risk. The risk picture becomes complex when executives have to consider how their systems are connected to other organizations’ IT systems.
“The logical boundaries of the corporate network are being pushed beyond what we traditionally consider them to be, and more and more we see data being gobbled up with real malintent,” says Logsdon.
The problem is made more complex by the fact that many organizations spend the bulk of their cybersecurity resources securing operational data, leaving vulnerable small data sets that contain the organization’s truly valuable intellectual property.
Organized cyber criminals
As the corporate network evolves, the hacker profile has also changed. Where cyber criminals used to be teenagers reading emails and posting embarrassing information on bulletin boards – today’s criminals are increasingly statesponsored or part of highly organized groups looking to gather intelligence – an organization’s valuable intellectual property – or make money, Logsdon says.
How data is being used by cyber criminals has also changed. Having embarrassing information put up on a blog today is the least of someone’s fears as it won’t potentially destroy an organization — whereas losing customers’ credit card information or compromising stakeholder trust and brand integrity could. Losing a company’s product and service designs can also be fatal, and make an organization irrelevant in the face of ruthless commercial competition.
For governments, the threat to the systems on which sovereign authority depends, cannot be overlooked. The same is true for the information systems that a nation’s critical infrastructures use.
In the U.S. alone, a February 2010 U.S. Army report2 states, “Unprecedented levels of adverse activity in and through cyberspace threaten the integrity of United States critical infrastructure, financial systems, and elements of national power. These threats range from unwitting hackers to nation-states, each at various levels of competence.”
Attacks grow in sophistication and risk
No longer worried about traditional malware, executives are now concerned about what Logsdon calls “advanced persistent threats.” In this scenario, the attacker accesses data over a long period of time, gathers information about the data, and avoids detection. Even if the hacker is detected, there’s no attribution around the breach. A business may eventually discover something fraudulent is taking place nine months to a year later after it’s been running on the network, as cited in the example above. At that point, however, they don’t know what data has been taken, how long it’s been there or who put it there.
“Its discovery is like a Pandora’s Box of issues for an executive,” says Logsdon. As organizations’ use of IT becomes less centralized and cyber crime becomes more sophisticated, CSC’s StrikeForce team becomes increasingly valuable. Unique due to its long legacy and track record of helping secure systems, the team offers a full range of vulnerability assessment services, such as code review. In fact, the StrikeForce team authors CSC’s secure coding guidelines.
“There are a lot of organizations that still have legacy code and are very concerned about vulnerabilities,” says Logsdon. “StrikeForce is a great place to start if they want to learn where their vulnerabilities exist and in what priority they want to address them.”
CSC also performs wireless assessments to identify weak spots in an organization’s infrastructure. “We’ll go around a corporate campus to see if someone has set up a wireless access point that no one knew about. We see it every place. Certain verticals are more interested in wireless access. For example, manufacturers use it to link customer data, supply data, and manufacturing systems in an efficient network. Manufacturing loves wireless, but wireless can also let someone visiting on a sales call pull out a laptop, find a wireless hot spot, and access sensitive information. We see it in retail, banking, and aerospace and defense as well.”
A unique cyber team
It takes a unique individual to perform StrikeForce’s security assessments. Before joining the team, prospective employees complete a test where they have 24 hours to compromise a set of systems and document their attempts. The StrikeForce team then reviews their results to determine if the potential employee is qualified to become a member of CSC’s elite team.
“Very few organizations have the quality of security professionals we have,” says Logsdon. “We find we have instant credibility with customers based on the rare technical skill set our team has.”
StrikeForce also provides and reviews with clients a comprehensive executive report that shows what risks need to be addressed, in order of urgency, and how those risks could affect the company’s operations, goals, and strategies.
“Customers experience immediate benefits from our reports,” says Logsdon. “They also like the fact that once StrikeForce identifies those risks and provides a remediation plan, CSC has the knowledge and capability to help fix those problems. Because if you think about it, many times the reason they have those problems is because they don’t have the resources to deal with them. We do.”
Jenny Mangelsdorf is a writer for CSC’s corporate office.
1 Information Security Threats in the First Quarter 2010 by Kaspersky Lab
2 U.S. Army’s Cyberspace Operations Concept Capability Plan 2016-2028, Feb. 22, 2010