SAN ANTONIO – Brigadier General (Ret.) Gregory Touhill, appointed in 2016 as the nation’s first Chief Information Security Officer, spoke to a group at the Alamo AFCEA Luncheon in San Antonio on Tuesday. Touhill discussed the current state of cybersecurity, common methods of attack, and how attacks can be combatted.
According to Touhill, in some cases our government is still operating equipment that was manufactured before the operator was born. “If you consider that the technological relevance of a computer ages at about 25 times the rate of a human being, we are depending on equipment that is several hundred years old. Well beyond the end of its intended life-span.”
We are still using VPNs which, according to Touhill, were never intended to be used in the manner in which most of us use them. “They clog our firewalls, cause network arteriosclerosis, and IDS/IPS dysfunction. They’re ancient technology.”
Many of us can recall a time in the 80s and 90s, especially at the dawn of the internet boom, when popular culture presented “hackers” as largely incredibly brilliant, maladjusted youth bent on sticking it to the man. Later, hackers and hacking groups were cast as international criminal enterprises or villainous foreign political operatives.
None of these characterizations is incorrect, though they fail to cover the full spectrum of those who attempt to electronically breach, steal, or vandalize. Thanks to the proliferation of bots and ransomware (among other items), and the ability to learn how to use such tools over the course of a bathroom break spent on YouTube, anyone and everyone with internet access possesses the ability to do great harm to another.
The more complicated attack methods of the past— those involving password cracking, packet spoofing, etc; generally required some level of expertise on the part of the attacker. This is no longer the case.
Touhill listed off the types of individuals involved in data breaches. You have your political operatives who might target troublesome individuals or organizations; intelligence services who wish to acquire information they deem important to their nation’s defense (or offense), you have rogue individuals or groups motivated to seek vengeance through vandalism or public shaming of a person or organization.
The vast majority of attacks in modern times begin as phishing attacks. Touhill says as many as 91% of all attacks begin in this manner. “It’s a low-risk, high-reward method, and you only need for one of the thousands of recipients of your malicious message to start working on their email before the caffeine hits their system. One careless click and the attacker in business.”
Risk-level is never zero. Never. There is no one-size-fits-all solution. No silver bullet.
There is no perfect way to manage risk, but Touhill says there are a few things almost any organization can do:
1) Institute a zero-trust security model. Edward Snowden was trusted by his employer. He was given the benefit of the doubt because he hadn’t yet stolen data. And yet, the first time he breached that trust was when he illegally retained 1.7 million classified intelligence files. Too late.
2) Employ proportional defense. Know the value of your information, which assets hold the highest value, and align defenses based on these assessed values.
3) Turn on DMARC (Domain-based message authentication, reporting & conformance) to significantly reduce phishing and other fraudulent email.
4) Stay current. Focus on your people, process, and technology.
5) Bake security into your contracts. Touhill advises that considerations for security, portability, independent auditing, pen-testing, and log access be specifically included in contractual agreements.
6) Invest in training for your people. “Champions are champions not because they do anything extraordinary but because they do the ordinary things better than anyone else.” – Chuck Noll