A Conversation with Richard Clarke – Part I

Tuesday, January 31, 2012

Fergal Glynn

68b48711426f3b082ab24e5746a66b36

Article by Zack Cronin

Following a dramatic increase in the number and severity of breaches in 2011, Chris Wysopal and internationally-renowned cyber security expert Richard Clarke discuss the changing cyber threat environment, the evolving cyber legislation landscape, and steps you can take to strengthen your organization’s resilience to the current threat environment while complying with evolving regulations.

Q: What are the kinds of cyber attacks that enterprises need to be aware of and who are the threat actors?

Richard Clarke (RC): It sounds like it’s a pretty fundamental question, but it’s confusing a lot of people because particularly the media are putting out all these stories about attacks and every week there’s another major enterprise that’s been attacked and it all gets mixed up in the blender like it’s all the same thing, and it’s not…

I think it’s important that we distinguish among the actors and among the kinds of attacks because you can’t really respond to the sort of generalized idea of a hack, you have to respond to the specifics of who is attacking and how they are doing it.

So the way I look at it is – I think there are four different kinds of phenomenon we are dealing with. The easy way to remember the four categories is the word CHEW, the first letter of each of the four types, Crime, Hacktivisim, Espionage, and at least potentially, Cyberwar.

Q: What do recent cyber attacks have in common?

RC: We see that there is a growing sophistication, attackers are using multiple techniques in the same attack, they’re using social engineering, vulnerabilities in client-side applications, vulnerabilities in web servers, and they’re doing two stage attacks, where there will be a precursor attack at a supplier company, things like that.

Q: So why are software applications at risk? Your web applications, mobile applications, your software infrastructure, are parts of this chain of attacks.

RC: Well I think it boils down to the fact that it works. When your target is somebody like Sony or Citibank, which spends a lot of money on antivirus software, firewalls, intrusion detection, intrusion prevention, and even two-factor authentication, and maybe relies on certificates – how else are you going to get in?

That’s your mission, that’s your target, that’s what you were told to get into, and you tried to do it the straightforward way, but you’re not going to get in so you keep trying and you eventually end up going in through the applications, or you go in through a third-party and go through their applications…

The thing we don’t really traditionally think about is applications.

Q: What are the essential measures of software security that organizations need to be aware of?

RC: One of the things that should be on the list of essentials, is to verify third party code. If you don’t know what’s in the code, or if you’re just trusting the vendor, then you’ve got a problem because now you have no idea what they’ve failed to do, what their standards are, and how they’ve vetted it.

There are lots of routine mistakes that people make when writing code, everybody does, and any code package, no matter how small, is going to have some of those mistakes. If they don’t have a systematic way of finding them, you’re in trouble.

Keep the conversation going in the comments below...

Cross-posted Veracode Blog

Possibly Related Articles:
5738
Policy
Federal
Enterprise Security Application Security Social Engineering Cyberwar Cyber Security legislation Hacktivist Attack Vector IDS/IPS Richard Clarke Cyber Espionage Chris Wysopal Zack Cronin
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.