Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, May 01, 2013

Cyber-Responders Seek New Ways to Respond to Cyberattacks

Last year the South Carolina Department of Revenue found that a hacker had used a “spear-phishing” attack to install at least 33 unique pieces of malicious software and utilities on the department’s servers to steal financial data. In another headline-grabbing security breach a year ago, hackers from Eastern Europe stole the Social Security numbers of as many as 280,000 people from Utah Department of Health databases, an incident that quickly forced state CIO Steve Fletcher’s resignation. The Alexandria, Va.-based company is one of a new generation of network threat detection and response companies that have sprung up over the last few years to complement traditional anti-virus and data loss prevention approaches that — although still necessary — are inadequate to cope with new types of targeted attacks.   Indeed, a post-breach investigation of Chinese hackers’ cyberattack last year on The New York Times’ computer systems uncovered that anti-virus software found only one of the 45 different pieces of malware planted on The Times’ systems during a three-month period.

Local and state government offices that may not see themselves as prime targets for theft of intellectual property or financial information can be used as the weak link to get at financial institutions, Ling said.

The business models of large anti-virus vendors such as Symantec and McAfee incorporate everyone who has a computer, because perimeter defense is an important aspect of protection and is mandated by many federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA).

As with other vendors, FireEye’s starting point is that malware threats evolve so quickly that the traditional protection model is antiquated, explained Phillip Lin, director of product marketing.

“When we were working for McAfee, we investigated large breaches such as Aurora,” recalled Dmitri Alperovitch, a CrowdStrike co-founder and former vice president of threat research at McAfee.

Based in Orange County, Calif., CrowdStrike was founded in 2011 by George Kurtz, the former worldwide CTO of McAfee; Alperovitch; and Gregg Marston, who worked as chief financial officer of Foundstone Inc., a cybersecurity forensics firm that Kurtz sold to McAfee.

Mike Maxwell, director of Symantec’s state and local government organization, said anti-virus continues to be an important tool for containing and blocking malware, but other approaches are necessary to complement it. This makes it difficult for traditional ‘signature-only’ anti-virus approaches to keep up with these evolving threats,” he explained in an email response to questions from Government Technology. But it also builds a list of bad stuff such as the application is communicating with a known bad IP address or it is attempting to insert files in other common load points, such as the registry, removable storage or file system, so this may be suspicious activity that would be blocked, logged or alerted based on configured policy.

Yet Howard said he has seen real change during the past few years: More organizations are moving away from denying that they are under attack; instead they are trying to figure out how they can limit the damage.

Booz Allen Hamilton’s Ling said that although these new companies may be good at what they do, it’s difficult to create a business model around any one aspect of protection, and a chief information security officer may not want to create a mix-and-match solution, because then the risk is assumed by the decision-maker, not the solution provider.



Posted on 05/01