Michael Hayden, head of the CIA under former President George W. Bush, says the U.S. should create a totally new Internet infrastructure to thwart cyber attacks that increasingly plagues the current Internet.
The proposed new system, with the domain name ".secure" instead of ".com," would get rid of the anonymity protected by the privacy guarantees of the Fourth Amendment. Users would need "certified credentials" to access the .secure system, according to Nextgov.com, which monitors the use of technology in the federal government.
One of the fastest growing segments of the world economy is cybercrime. The opportunity is created by the inexorable digitization and interconnection of enterprises both Government and Commercial, and is exacerbated by increasingly sophisticated and well-funded attackers. The modern IT security approach to countering this threat has been reactive, not proactive. Intrusion detection systems, firewalls, Web filters, anti-malware software and Patch Tuesdays represent the state of the art, and while there are a lot of great security products and technologies available, the concept of allowing connectivity to critical information and networks while trying to filter and detect malicious activity is fundamentally flawed. The black hats simply change tactics to circumvent defenses, they are always one step ahead.
Learn from Others’ Mistakes
Every day we hear reports of successful cyber intrusions, expansive private data disclosures, service outages and massive monetary losses. The inability to protect our critical digital resources acts as a collective drag on innovation and productivity; for example, consider how mobile devices and cloud computing are generally viewed as far too risky to trust with enterprise-critical data.
Clearly, the IT security world is in need of a proactive approach. Critical infrastructure must be built upon trustworthy computing platforms that can guarantee protection against even the most sophisticated attackers.
Do your Homework
How do cyber criminals get into the supposedly secure networks of enterprises? They typically exploit one of the thousands of vulnerabilities of the underlying operating system or the web server or the firewall that the enterprise uses as it’s security foundation. And many IT professionals never even bother to research the existence of these vulnerabilities, although they are readily available by checking the national vulnerability database.
The first thing any organization should do when formulating a proactive approach to security is obtain independent affirmation of the level of security assurance of the technology they are going to deploy. There is one, internationally accepted standard for evaluating IT security: ISO/IEC 15408, commonly known as the Common Criteria. The Common Criteria specifies levels of security assurance. Common enterprise software products, such as Windows, Linux, Android, VMware and Oracle are certified at level 4+ or lower, a standard that is appropriate only against “inadvertent or casual attempts to breach the system security”. These are all wonderful, feature-rich products, but none of them were designed from the ground up to meet the highest levels of security.
In order to ensure maximum security, organizations should search out and deploy products rated at EAL 6+ High Robustness, the level of security that the US government specifies for protection of high value information against the most sophisticated and determined attackers. Level 6+ requires formal mathematical proof of security and detailed penetration testing – it requires vendors to actually prove that their products are secure.
What Not to Do
Adding filters and firewalls to insecure platforms is like attaching padlocks to a screen door. Inevitably, the criminals are going to find a way in, and when they do, they have a vast library of vulnerabilities in the platform with which to wreak havoc. One recent example is CVE-2009-2692, a flaw in the Linux kernel that enables user applications to take over complete control of the computer. This vulnerability was recently discovered by researchers after going undetected for eight years within the Linux code base. For eight years the cyber criminals had a simple way to get into any Linux system deployed.
Ask the Experts
In addition to searching the Common Criteria evaluated products list to find the highest certified products, consult organizations such as the Cyber Secure Institute, a non-profit cybersecurity analysis and advocacy organization dedicated to increasing awareness of the need for trustworthy computing to CIOs and other IT professionals. The Institute is leading the charge for both the government and commercial IT communities in a worldwide demand for a higher security standard from computing infrastructure suppliers.
It’s no secret that the strained economic climate has put direct pressure on companies to reduce their investments in security technology. The beauty of investing in trustworthy platforms, however, is that certain technologies can actually lower cost while improving security. So, the best advice for IT professionals who want to stop a cyber attack before it happens is: Do your homework, and invest in technology that protects sensitive data from the inside out.
No comments:
Post a Comment