Cisco CSO John Stewart on Fending Off Cyber Attacks
Posted on October 14, 2010 |
Cisco Systems, like nearly every large company, must continually fend off cyber attacks. Cisco Chief Security Officer John N. Stewart recently spoke to me about threats such as the computer worm Stuxnet and what it's like to protect a corporate network from incessant attacks.
Rachael King: What makes Stuxnet different from other worms and is it potentially more dangerous?
John Stewart: What makes it different is how much news coverage it's getting. This is the first one, though, that is part of the discussion about whether or not it is actually targeting the way a system is supposed to work rather than trying to exploit a problem that's already in it. Secondarily, there's the fear-factor, over who designed it, how it was designed, and its ultimate origin and purpose. This one can disrupt an operation and, in some cases, very critical operations.
RK: This worm was specifically designed to attack so-called SCADA systems, so what does that mean?
JS: SCADA systems were designed many years before the traditional Internet. The purpose of SCADA systems is that they're small, micro-controlling systems that affect anything from water control valves to oil and gas industry pipelines to street lights or stop lights. There are portions of SCADA systems in almost every critical infrastructure, definitely including the power grid as well. The idea that it can affect critical systems in countries' infrastructures is one of the fears.
RK: One of the issues in the spread of Stuxnet was employees picking up USB drives and using them when they were just lying around. Do you have policies at Cisco to try and prevent that?
JS: We don't. Partly the reason we don't is because people are people. Let's take the example you just described with USB devices. You've got a USB picture-storage device, you've got a USB thumb drive, you've got a USB keyboard, you've got a USB-based iPod, all of which are storage devices of some material type. And you've got content that could be stored on them, including the fact that Stuxnet could be sitting on top of it. I would rather design with the idea that the format and delivery under which it would come is not one that I would take down to a hardware device level and instead design an environment that detects if something goes wrong [during data] transfer.
RK: You've compared defending Cisco's corporate network to defending a home's front door against all kinds of projectiles. Can you describe that?
JS: All kinds of attacks come at you and you don't necessarily know one from the next. The first could be a simple, silly virus that I would liken to someone egging your house and the next one could be something like Stuxnet and you don't know who wrote it but it seems sophisticated and it feels like either a very surgical attack from a sniper or a very large artillery shell.
Either way, because there is so much activity on the Internet of this type what you've got to do is go repair the front door and fix and clean your windows and harden up and then you'd start all over again tomorrow because the attacks are going to keep on coming.
This is where I think the industry as a whole is getting a little bit weary of this consistent ability for attacks to be launched without the downsides high enough to prevent it. Corporations and governments and law enforcement communities both locally and internationally are working together more diligently in a much more aggressive path because this is just not acceptable.
RK: From Cisco's perspective, you're sitting there and you're defending your home but you don't have the ability to fight back on your own?
JS: I don't know that I necessarily want to go to the idea that I would fight back. But we're getting to the norms and behaviors discussion, which is, what is acceptable behavior on the Internet? I think as a society we're beginning to discover that things like stealing from my house from a foreign country is probably not acceptable when it comes to a normative behavior. You can defend or you could eliminate the threat and I think both are a relevant strategy. The eliminate part is all around law enforcement and government and the defend side is our obligation.
RK: I think many people may not be aware of the volume and extent that attacks happen, not only on Cisco but on every other company, every day of the week. Can you give me an idea of what we're talking about?
JS: The categorizations of the attacks are the hardest part; is it egging or is it an artillery shell? It's safe to say 24 hours a day, 7 days a week, 365 days a year, attacks are happening against companies and in many cases attacks are happening against people who are connected to the Internet.
RK: What's your advice for companies using cloud computing?
JS: Make sure you're talking to your cloud-services providers about how they protect your data. Don't just trust anybody. There's beginning to be an awareness that says when I buy a cloud-storage service using my credit card, that doesn't necessarily mean I should be storing corporate information that's very sensitive in that provider. Start creating normative ways, which say these are the cloud services providers that we, at a company level, should use. Then involve end users in the decisions because they've probably got some pretty good ideas.
And last but not least, you have to think through where your data is stored. When talking to your cloud-service providers, literally ask them where they're going to put your data. The number one way most companies and most people protect themselves is the law -- it's not a technology conversation, it's a legal one.
Company Boards Must Assume Cyber Attacks Will Occur
Posted on June 15, 2010 |
Cyber attacks are now so common that corporate directors must assume that their companies' intellectual property will be stolen, according to experts at today's Bloomberg Link Boards & Risk Conference in Washington. "Boards can't keep hoping they won't be attacked because they will be," said Val Rahmani, chief executive of Atlanta-based security-consulting firm Damballa, Inc. My colleagues Peter Elstrom and Rochelle Garner wrote about corporate boards and cyber attacks in a story published today by Bloomberg News.
Security experts such as Patrick Morley, CEO of enterprise security firm Bit9 say that attacks are on the rise. Morley came to visit me last week in San Francisco after giving an educational seminar about how to stop malware. He predicts that security will move toward so-called white listing, the practice of defining the software that IT departments will let run on computers and mobile devices. Bit9 has created a global registry of known "good software" and offers a product that acts as a sentry, only letting employees download applications that aren't dangerous.
This works in reverse of the way many anti-virus software programs work. Those programs scan for code that's known to be bad. The problem, says Morley, is that at this point there are more bad viruses than there are safe software applications on the market.
"We're all looking for bad but we know what good is," said Cisco's chief security officer John Stewart, when I interviewed him in March. Software vendors all know what they publish and the idea is to create a comprehensive list of that software so that everything else is questioned. "I think it's high time that we continue to look for things that are potentially more effective," said Stewart.
Conficker a Year Later–Help Stamp It Out
Posted on November 5, 2009 |
It's been a year since the Conficker worm first started turning up on Windows PCs and the Conficker Working Group estimates that there are still millions of computers infected with it. These systems are still a potential threat to their owners and to the health of the Internet as a whole, but there's a really easy way to find out if a computer is infected: the Conficker Eye Chart.
On a clean system, all of the images on this page will show up. If it's infected, some will be missing. The site includes simple instructions on how to interpret the results and how to remediate an infected system. Run it on your PC. Better yet, run it on your mother's PC and your kids' PCs.
Conficker still remains something of a mystery. Experts have no real idea of who is behind it or what it was intended to do, says Tom Cross, manager of X-Force Research at IBM Internet Security Systems who has worked closely with the Conficker Working Group. Despite the fears of security experts, the bots infected with the worm were never used to mount any sort of serious attack. What remains unknown is whether the infection was some sort of elaborate rehearsal for a future attack or if the vigilance of the computer security community prevented something worse from happening.
Why Is the Government Vulnerable to a Simple Cyber Attack?
Posted on July 9, 2009 |
A wide-ranging attack on government and corporate Web sites that began last weekend and is continuing seems, at least so far, to be causing more confusion than damage. A denial of service (DoS) attach hit a number of government and business sites in the U.S. and South Korea. Some successfully fended it off, others were crippled to varying extents for varying periods of time. The attack is only designed to slow or block access to sites, not penetrate them, so there is no danger to data and the main effect is inconvenience for users.
Contrary to widespread reports that seem to have originated in the South Korean government, little evidence has come to light to suggest that North Korea is behind the attack. That's not to say the North Koreans don't have something to do with it, just that the evidence is lacking.
But whoever is behind this, it is disturbing to learn that a number of government agencies are still vulnerable even to a relatively unsophisticated attack, one that most Web-savvy businesses have long since learned to deal with.
