Article by Zack Cronin
Following a dramatic increase in the number and severity of breaches in 2011, Chris Wysopal and internationally-renowned cyber security expert Richard Clarke discuss the changing cyber threat environment, the evolving cyber legislation landscape, and steps you can take to strengthen your organization’s resilience to the current threat environment while complying with evolving regulations.
Q: What are the kinds of cyber attacks that enterprises need to be aware of and who are the threat actors?
Richard Clarke (RC): It sounds like it’s a pretty fundamental question, but it’s confusing a lot of people because particularly the media are putting out all these stories about attacks and every week there’s another major enterprise that’s been attacked and it all gets mixed up in the blender like it’s all the same thing, and it’s not…
I think it’s important that we distinguish among the actors and among the kinds of attacks because you can’t really respond to the sort of generalized idea of a hack, you have to respond to the specifics of who is attacking and how they are doing it.
So the way I look at it is – I think there are four different kinds of phenomenon we are dealing with. The easy way to remember the four categories is the word CHEW, the first letter of each of the four types, Crime, Hacktivisim, Espionage, and at least potentially, Cyberwar.
Q: What do recent cyber attacks have in common?
RC: We see that there is a growing sophistication, attackers are using multiple techniques in the same attack, they’re using social engineering, vulnerabilities in client-side applications, vulnerabilities in web servers, and they’re doing two stage attacks, where there will be a precursor attack at a supplier company, things like that.
RC: Well I think it boils down to the fact that it works. When your target is somebody like Sony or Citibank, which spends a lot of money on antivirus software, firewalls, intrusion detection, intrusion prevention, and even two-factor authentication, and maybe relies on certificates – how else are you going to get in?
That’s your mission, that’s your target, that’s what you were told to get into, and you tried to do it the straightforward way, but you’re not going to get in so you keep trying and you eventually end up going in through the applications, or you go in through a third-party and go through their applications…
The thing we don’t really traditionally think about is applications.
Q: What are the essential measures of software security that organizations need to be aware of?
RC: One of the things that should be on the list of essentials, is to verify third party code. If you don’t know what’s in the code, or if you’re just trusting the vendor, then you’ve got a problem because now you have no idea what they’ve failed to do, what their standards are, and how they’ve vetted it.
There are lots of routine mistakes that people make when writing code, everybody does, and any code package, no matter how small, is going to have some of those mistakes. If they don’t have a systematic way of finding them, you’re in trouble.
Keep the conversation going in the comments below...
Cross-posted Veracode Blog