Article Published: September 11, 2015
Article Published: September 11, 2015
With ever-increasing tsunamis of information heading to different places, and becoming more personalized through the use of electronic devices, while greater armies of hackers remain focused on breaking in, how in the heck can the hack be stopped?
How can the binary boogieman be barred? The encouraging news is that Pittsburgh-based individuals and industries have emerged as some of the leaders in this endless, ever-expanding, and increasingly challenging fight.
The interconnected world of computers, smart phones, tablets, and more has shifted in monumental ways from the “old days” of two or three years ago. Firewalls around mainframes, you say? How quaint. An occasional disgruntled employee causing a bit of havoc in one little corner of the company? If only.
Today, the “cloud” serves as a gargantuan third-party host for data, but who’s minding that particular store? Literally millions of attempts occur daily to damage and plunder information, with some of the more egregious ones making the evening news. Right, Sony? And Target? And American Express? But those aren’t the only ones being zeroed-in on. Not by a long shot.
Let’s start by defining the issue. According to “Cybersecurity in the Pittsburgh Region,” a report recently issued by the Pittsburgh Technology Council, the worldwide monetary loss from cybercrime attacks has been extrapolated to be between $70 and $400 billion. The wide variance is due to the fact that many companies deal with data breaches quietly.
A recent study done by Computer Associates and the National Cyber Security Alliance—the first to study the link between specific online behaviors and the potential for becoming a victim of cyber crime—showed that 83 percent of adults who use social networking sites unwittingly open the door to hackers and identity thieves.
Attackers fall into a range of categories, including disgruntled and dismissed employees, domestic and overseas competitors and even foreign governments and terrorists. Scores of websites are now readily vulnerable to international hackers and virus writers in numerous languages and cultures.
The types of attacks have a spectrum of their own, ranging from the $45 million stolen from ATMs worldwide by hacking into consumer prepaid credit card accounts, to the cyber “Pearl Harbor” warned of by former Defense Secretary Leon Panetta, who singled out the country’s utility grids, financial networks, and transportation systems as being particularly vulnerable.
Carnegie Mellon’s CERT/CC, part of the university’s Software Engineering Institute, has as its primary charge pre-empting or responding to any threats to the security of the Internet, and the millions of computers connected to it, as well as analyzing product vulnerabilities that could place organizations and individuals at risk. Tom Ridge, former Governor of Pennsylvania and the nation’s first Secretary of Homeland Security, recognized CERT/CC as “a key element to our national strategy to combat terrorism and protect our critical infrastructure.”
The Pittsburgh office of the FBI has been a leading cyber- crime-fighting unit since 2000, when it became the first branch to hire an official computer science agent. During the same year, FBI/Pittsburgh and CERT/CC joined forces to form the Pittsburgh High-Tech Computer Crimes Task Force, the first in the nation, and a unit of consolidated federal, state, and local law enforcement trained and directed to address cyber-crime.
This innovative task force also led to another breakthrough initiative, the National Cyber Forensics & Training Alliance (NCFTA), the first partnership of its kind in the U.S., providing a neutral collaborative venue where critical confidential information about cyber incidents can be shared discreetly, and where resources can be shared among industry, academia, and law enforcement organizations. Presidient Barack Obama in 2009 named NCFTA as one of three international organizations that stand out as an “effective model” in national cybersecurity.
CMU instituted CyLab in 2003, a multi-disciplinary and university-wide program dedicated to creating new secure, trustworthy, and sustainable computing systems to help predict and respond to cyber attacks. The Software Engineering Institute at CMU continuously develops a curriculum to teach system and network administrators about information assurance, including ways for them to think and act on security issues related to their specific organizational infrastructure.
At the University of Pittsburgh, the Department of Information Science and Telecommunications has established the Laboratory of Education and Research on Security Assured Information Systems (LERSAIS)—a premier program focusing on the diverse problems related to security and survivable information systems, networks, and infrastructures. LERSAIS curriculum is used by the federal National Security Administration, among other agencies.
The “big picture” concerns appear to be in good hands, but what about the rest of us?
“For the past 10 to 15 years, customers have been sold the same story, that ‘Security looks like—blank,’” said Sam Cattle, Consulting Manager and Security Architect for Pittsburgh-based Rolta AdvizeX. “But it doesn’t fit everyone the same way. Security trade groups get together and say the only way to totally make a system secure is to pull the plug out of the wall. You could spend all of your budget on security and still not be done. How much is enough? You need to ask, “what do I really need to protect?”
“You need to figure out which part of the elephant we need to eat,” he continued. “It’s a persistent threat. We are under attack all the time. Forensics on computers show that the source has already been gotten into. To not believe that is to close your eyes to the truth.
The bad guys are already inside. We need to be able to identify them and act on them.”
Cattle said that, as major breaches of security occur, government fines continue to get larger—all in an attempt to force businesses to take protection of their data more seriously.
“Security professionals today need a utility belt like Batman,” he said. “We can’t rely on the castle-and-moat analogy anymore. Before, the ratio was 80 percent protecting and 20 percent detecting. Today it’s at least 50-50, and leaning more toward detecting.”
Rolta AdvizeX’s Security Advizer focuses customers on the right areas of attention, based on their particular cyber scenario. Said Cattle, “Especially for mid-market customers, this is vital because they don’t have the budget for security, but need better security support.”
“Today, security is the hottest topic on the planet,” noted Frank Trama, co-founder of Packet Viper, another locally based company. “It’s not all about money anymore. The real ‘gold’ now is personal information that can be spread around the world. I can change my credit card number, but I can’t change my Social Security number, can I? Claims made by detection security systems are the biggest false hope.
“Anti-virus software is only a Band-Aid,” Trama said. “Packet Viper limits how the world gets into your environment. There was no mechanism to stop network traffic, so we created a device to limit the scope of incoming data. That way, it’s easier to stop the bleeding if something gets inside. Our product reduces threat exposure immediately by blocking everyone who is not coming from the customer’s pre-approved locations.
“One of the biggest problems in cybersecurity is volume,” he said. “People get overwhelmed sifting through data. Ours is the only service to limit volume coming in. When I see a threat coming in now, it’s like a meteor heading for the earth—I know it’s big, in other words. We don’t have the volume problem anymore.”
It can never be forgotten, however, that all of these amazing machines and portable chunks of technology still operate in the frighteningly fallible hands of human beings. Don’t we deserve some share of the cybersecurity burden, as well?
“You can have all the firewalls in place, but if you aren’t aware and careful, you could still lose it all—even being forced to go out of business if the damage gets high enough without a backup,” warned Michael Kuhleman, who along with Mike McKenzie founded M2 Technology, based in the North Hills of Pittsburgh. “Hackers get into one simple log-in made in error by one employee, and even a large Amazon-sized business can be completely wiped out.
“Keeping hackers out means building in behavior modification for people using these systems,” Kuhleman said. “A lot of the attacks are geared to take advantage of people looking for stuff online. For mobile devices relying on vendor security, what looks like a melting pot of services is really more like a mine field. Employees using their own devices opens a tremendous can of worms. If an employee opens the wrong attachment, your complete data security could be affected.”
M2 Technology provides training in employee behavior modification—things like “don’t write your password on a Post-It note” and “don’t import unprotected external data”—with the main idea always remaining an insistence that each user accept personal responsibility and accountability.
Based in the Strip District, Wombat Security Technologies is leading the way by providing security education solutions that positively change employee behavior. Wombat’s SaaS training solutions help organizations tech their employees how to identify and avoid cyber security attacks.
So, what does the future hold for cybersecurity? In many ways, it’s a blending of the main ideas cited by others in this article: personal responsibility, better channeling and protection of data, and improved technological tools to thwart hackers.
“Before, if you had sensitive data on a device, everything was on a sandbox environment where it was available for anyone to get at it,” said Kayvan Alikhani of RSA, a San Francisco-based security provider. “More than 80 percent of all fraud can be traced back to authentication failures—someone other than the proper user
is using a device or computer. We’re now seeing a multi-layered approach where you can store secure information separately. Not all devices have this yet, but all will have it soon. I see this as a critical development to better tie up private information and protect it.
“This development goes hand-in-hand with the idea that devices are at the edge of the system, so they need to be protected,” Alikhani continued. “Instead of cracking a mainframe and doing widespread damage from that source, hackers would have to steal millions of individual devices—then get past the new protections on those devices.
“The thinking is evolving to the point where, if this is a trustworthy device, then the security issue becomes more about the content,” he said. “For instance, if what the ‘user’ is about to do looks suspicious—like transferring $100,000, when that’s never happened before—the device itself can analyze the behavior and raise a flag.
“From the hacker’s perspective, this is not good news. This is a transformational approach, a more elegant way to protect users. If we can make incremental progress in improving device design, capabilities, and usage, that will go a long way. But you’re still only as strong as your weakest link.”