Competing priorities, piecemeal solutions make for lousy cybersecurity
Midway through the year, one thing has become obvious when it comes to cybersecurity: the bad guys are increasingly outpacing the white hats on innovation. Every time you turn around, there seems to be a new kind of threat. Not so much when it comes to defense.
The industrialization of malware, crimeware and all the other shades of adversarial technologies is rampant, and the threat industry is beginning to throb with the same kind of energy that birthed places like Silicon Valley. Cisco, in its latest report, says that the operators of the various threatware organizations are now hiring and funding professional development teams to help them focus on the most profitable targets.
Some of the innovation touted by Cisco sounds a bit re-heated. Adobe Flash vulnerabilities are well known, for example, and the fact that Microsoft Office macros are again coming into favor as a way of delivering malware is not that surprising given Microsoft’s renewed emphasis on the suite.
Other attacks, however, show the level of thinking behind some threats. Cisco found, for example, that some exploit kit authors are putting text from such benign sources as Jane Austen’s Sense and Sensibility into the web landing pages that host their kits. Apparently, antivirus and other common defensive tools are more likely to label these pages as legitimate after reading such text.
It’s not that the security industry is standing still. Cisco points out that vendors are adding support for new file formats such as .cab and .chm to catch attacks that use them to deliver their packages, and they are also beavering away to develop new detection engines. However, it also says that many vendors are only offering piecemeal solutions, while buyers are continuing to spend most of their money on stopgap, one-off products rather than investing in in-depth strategies.
“Because [users] are not integrating technologies and processes across the entire security footprint,” the Cisco report said, “their management of security tools becomes unwieldy.”
In government, there’s plenty of noise about some of the broad issues of security. When Congress gets back to work in September there’ll be much said about the Cybersecurity Information Sharing Act, for example -- another attempt to solidify more-efficient sharing of security threat information between industry and government. Likewise, a new draft report from an interagency working group organized by the National Institute of Standards and Technology lays out a path for U.S. government involvement in the development and use of international cybersecurity standards.
All of which is important stuff, but it will take years to show value.
The government at the top levels is at least aware of the need for shorter term strategies. In June, following a number of high-profile breaches at several agencies, U.S. CIO Tony Scott’s 30-day cybersecurity “sprint.” The exercise, which focused on immediate fixes agencies could make to shore up their security, made some important inroads, but Scott acknowledged the sprint “is only one leg of a marathon to build upon progress made, identify challenges, and continuously strengthen our defenses."
And then there’s a recent report from the House Energy Committee that looked into the October 2013 breach of the Food and Drug Administration’s network, which allowed unauthorized access to users’ account details. During the investigation, the House report said, committee staff also became aware of breaches at other operating divisions at Health and Human Services. In total, the investigators believe at least five divisions have been breached in the last three years “using unsophisticated means.”
Pointedly, and after reviewing seven years’ worth of non-public HHS Office of Inspector General reports, the House committee found that many of the IT security issues suffered by the HHS divisions shared the same root cause -- namely the subordination of security concerns to operational needs. What are the bets that the final report on the more recent, and far more damaging, breach at the Office of Personnel Management will find at least some of the same failings?
It’s unlikely government will ever be able to match the innovation and agility of the developing threatware industry. But if the issues highlighted by Cisco become the norm, and agencies don’t put at least a basic security strategy in place, the HHS and OPM examples threaten to become the new normal.
Posted by Brian Robinson on Aug 14, 2015 at 9:05 AM