Potentially dangerous chatter should be on security department’s radar
The things that threaten an organization’s security may not be the ones most security managers think about on a day-to-day basis. And in many cases, it may be an employee that is bringing the threat to your door.
“Some things really never change but the thing we need to focus on all the time is the human element involved both externally and internally,” said Patrick Gray, senior security strategist with Cisco Systems, speaking at the InfoSecurity Show At the Metro Toronto Convention Centre June 20.
Gray, who worked for the Federal Bureau of Investigation for 20 years,
was involved in the pursuit of Mafia Boy, the Canadian hacker who
crippled major Internet sites in 2000. He now works for Cisco, speaking
to senior-level decision makers at the executive level who may not yet
understand the importance of network security in an organization.
“It’s about getting buy-in from corporate on mahogany row,” he said.
“I’m not a sales guy, I’m not a threat to them ”“ I talk to them about
vulnerabilities, what we’re seeing, best practices — that sort of
thing. They understand that kind of stuff as long as it’s explained to
them in a fashion they can understand at their level. We try not to
talk about ROI — that stuff is passé, they need to know what’s
And Gray’s experience in law enforcement means he can talk about
security from both the physical and IT perspective, something Cisco has
recognized as an important element in talking to their customer base.
In March, Cisco announced it had acquired Sypixx Networks, which offers
network-centric video surveillance software and hardware that enable
existing analog video surveillance systems to operate as part of an
open IP network. The acquisition means Cisco can deliver video
surveillance as part of a converged environment.
“We just created a physical security group headquarted in San Jose
where we’re starting to tie in all the biometrics and physical smart
cards and watching what’s happening on the network, not only from an IT
perspective, but from that physical perspective as well which I think
is great because I do see a convergence between IT and physical
security. From walking in the front gate, signing into the building,
flashing your card, logging into your computer ”“ you need to know
everything that’s going on in the network and not because we’re spying
on people. It’s because at the end of the day we know how to go back
and find the root cause of a problem,” he said.
Gray said executives and their security departments need to understand
that threats change every day and must be monitored. “We need to focus
on the threats that come to us and understand something bad is going to
happen to your network— that’s a given. We need to prepare for that
eventuality. They want to crack your network — that’s the Holy Grail.”
With half the malware in circulation designed to steal data, not damage
computers, Gray said malware authors have shifted their focus from a
few years ago when the intent was simply to bring down a system. Now
the threat is even greater to an organization because proprietary
information can be stolen, often with no one knowing until it’s too
“Most individuals that download malware onto their networks aren’t
going to know that it’s there until the bad guys decide to fire it up
and use it,” he said.
Malware is software designed to infiltrate and damage a computer system.
Many communication tools used today, such as Instant Messaging (IM) can
be magnates for malware. Gray says there are about 400 million people
using IM every day in the world, sending between five billion and six
billion in one day.
“How many of those contain downloadable malware?”
Gray said he doesn’t see a good business case for using outbound IM
because it can serve as a vehicle for the transmission of malware.
“I don’t mind internal instant messaging,” he said. “At Cisco we use
internal IM only and we block all out-bound IM. It’s a great tool for
talking and collaborating internally but it’s not good stuff going
out-bound because you don’t know what’s going out-bound with it or
what’s coming in-bound with it because it’s not malicious until it
Gray emphasized the importance of explaining to employees why policies
are created around things such as IM usage and not writing about the
company on a personal blog.
“If you don’t have a blogging policy, please get one. Employees are
releasing proprietary data on them and we are seeing employees fired
every day because of it,” he said.
“A lot of (policies) can be draconian, but this goes back to the issue
that this is not their computer ”“ they can do whatever they want at
home but this is a business tool. As soon as we learn that we will be
much better off,” he said. “Many websites you can download malware
without any active intervention on your part. We have to understand why
acceptable use policies.”
Gray recommends companies have a blog policy with strong wording
cautioning employees about writing about the company they work for. He
also recommends someone in the company be responsible for monitoring
whether anyone in the company is keeping a blog that might be used as a
vehicle to slam a boss or the organization as a whole.
“All you have to do is Google your company name followed by ”˜blog’ and
you’ll be amazed. I was at a bank recently and I Googled the bank’s
name and blog and the first blog that came up was titled “this bank
sucks” ”“ now that may be a disgruntled customer or it could be an
employee so you need to check up on what people are saying,” he said.