FBI Director Robert Mueller told the U.S. House Permanent Select Committee on Intelligence this week that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.” Elaborating on the breadth of the threat, he said “there is very little we do in this day and age that is not on or somehow associated with the internet. The theft of intellectual property, the theft of research and development, the theft of the plans and programs of a corporation for the future, of all which are vulnerable to being exploited by attackers.”
It is not just our sensitive information that is threatened. The Internet itself is threatened … and extremely vulnerable. In the last several weeks, we’ve seen successful Distributed Denial of Service (DDoS) attacks against banks, governments, law enforcement and the entertainment industry. We’ve seen Israeli and Palestinian cyber-vigilantes launch DDos attacks against each others web sites. What happens when radical organizations discover they can launch a DDoS attack against their enemies? We should not be surprised to see the Internet become a battleground in America’s culture wars.
In his testimony, Mueller recommended that we need to become better at gathering, sharing, analyzing and using cyber information, offering several specific suggestions to the Committee for needed changes at the Bureau, throughout government and in new legislation.
His recommendation apply as well to individual organizations, as our work with clients continue to demonstrate. Every organization with sensitive information needs to continually ask itself: Are we gathering the information we need to understand our cyber threat and the quality of our cyber defenses? Are we effectively analyzing this information, using it to better secure our information? Are we sharing it with the necessary parties? In particular, is management getting the information they need to proactively manage information risk?
One highly critical defensive measure, for example, is to rigorously keep software patched. One of the easiest ways for a cyber criminal to take control of a computer is to exploit a vulnerability in unpatched software. That’s why we publish our Weekend Patch and Vulnerability Report, alerting readers to major patches.
Patching needs to be on the Weekly Must-Do list of every IT Department and IT vendor. Yet, when we assess the patch levels of organizations, we are not surprised to often see more than 100 unpatched vulnerabilities on desktops. Does IT gather vulnerability information? Do they analyze it, taking appropriate action to keep vulnerabilities to a minimum? Is it shared with Senior Management? Does Senior Management know that IT must patch vulnerabilities to comply with laws like HIPAA HITECH or contractual obligations like the Payment Card Industry’s Data Security Standard? Does Senior Management regularly monitor “weekly vulnerability trends?”
Mueller’s recommendation that we become better at gathering, sharing, analyzing and using cyber information apply to our communities as well. That’s what led our Los Angeles ISSA Chapter to launch our Community Outreach Program 5 years ago. It’s our mission to be the premier catalyst and information source in Los Angeles for improving the practice of information security. It’s the genesis of our tag: It Takes the Village to Secure the Village. SM It’s the orientation of our newly designed website. And it’s the focus of our forthcoming Fourth Information Security Summit, being held May 16, 2012 at the Universal Hilton Hotel.
Human nature being what it is, cyber crime and hacktivism will likely get worse before things get better. While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy.