, ,

The next steps in cyber security

Did you know this is the seventh annual National Cyber Security Awareness Month? Get out your protective gear and we’ll relate what we learned about cyber security from Gigi Schumm of Symantec at FedTalks 2010.

If you go back seven years ago to 2003 the big viruses were blaster and slammer. In those olden days hackers were usually kids looking to make a name for themselves. Now they’re often professional thieves or organized crime, possibly backed by nation states. The motives have changed as well from merely being annoying to disrupting the flow of communication to both people and infrastructure.

The methods hackers use as well as the numbers of attacks have grown exponentially in the past couple years. Symantec writes signatures, or fixes, for cyber attacks. In 2008 they wrote 1.6M signatures, which was more than the previous 16 years combined. In 2009 they wrote 2.9M signatures.

Today’s growing challenge is the proliferation of different devices such as laptops, iPads, smart phones, Kindles, etc. Users mix home and work on these devices, which complicates the challenge. Think of all the documents you receive – PowerPoint presentations, PDFs, music, movies, etc. This explosion of data confuses the situation further.

Virtualization and cloud computing – whether public or private – bring the promise of increased efficiency, cost savings and better service. But this development also “clouds” the picture for cyber security.

So what’s the next step? Gigi advises that an info-centric security model is where we need to head instead of a network- or system-centric model. It’s not enough just to build higher firewalls because of the aforementioned explosion of data and proliferation of devices. So what’s important in an info-centric model? People and information. There are four key items to help organizations move to an info-centric security model:

1. Identity security. We must pay attention to who is sending us information, what they are sending and assess appropriately.

2. Device security. Symantec has launched a reputation scoring engine, which leverages the wisdom of the crowd to determine security. If a piece of code wants to execute, the software can compare the code and score it based on its reputation. Reputation is based on things such as how long the software has been around, how many users it has on the internet and do we know that it came from a known good site. The score determines whether or not the software can run in your environment.

3. Information protection. What information needs to be encrypted, and is their data loss prevention technology in place to prevent sensitive data from leaving your environment.

4. Context and relevance. The four Ws of information – What is the most critical data? Where is the data? Who needs the data? When do they need the data? Remember that all data is not created equal. Gigi relates that private sector customers think that less than 10% of their data is critically important. While public sector is no doubt higher, it’s nowhere near 100%.

Leave a Comment

7 Comments

Leave a Reply

Andrew Krzmarzick

Kathleen – What have you seen regarding training on cyber security…for both citizens and public sector employees?

Chris Kelsall

Absolutely correct, besides actually identifying what we really need from everything that is exchanged, and what really needs to be protected, and identity management, the whole area of extablishing a culture where people really care and watch out for themselves and who they work for is critical. Saw an article the other day where someone discussed actuially treating Cybersecurity like the country handled the H1N1 crisis. People listened and peolpe took action. Hopefully we can reach that level with Cybersecurity soon. If tyou’re looking for more on what’s being done on training and edcuation you might start here. http://csrc.nist.gov/nice/

Kathleen Smith

Andy
There are a few certifications programs that are being launched by the CIO Council that will be implemented in a few of the agencies – GSA and DHS – in particular. I also noted that NIST was establishing new guidelines as well.
I harken back to an AFFIRM luncheon last year and a point that resounded for me was that the biggest threat was that individuals do not keep their patches up to date – you know those annoying updates that clog up your computer at the worst possible time – so many folks both at work or at home stop, or abort those updates, they get backed up and don’t load correctly and we end up with unprotected out of date systems.
Cybersecurity like any program meant to maintain our health is something that requires constant vigilance and work.

Kathleen Smith

Thanks Chris. As you reference much of the solution lies with each of us as individuals. We are the front line of the issue and we all need to be more careful. We all need to fight the natural human tendency of thinking, “It’s not going to happen to me.”