• 07/25/2012
    3:20 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Black Hat: 6 Lessons To Tighten Enterprise Security

Opening the Black Hat conference, former FBI executive assistant director says businesses can learn from how the FBI now fights terrorists.
How can corporate America cure its information security ills? Take a page from the FBI's terrorism-combating revamp.

That was the pitch made by Shawn Henry, president of CrowdStrike, in his keynote presentation Wednesday opening the Black Hat 2012 conference in Las Vegas. Until March 2012, Henry was the executive assistant director of the FBI, with responsibility for all of the FBI's criminal investigations worldwide, including cyber investigations, the critical incident response group, and international investigations.

After Sept. 11, said Henry, the FBI retooled to better combat "kinetic terrorist attacks--bombs going off, and people getting killed." Doing this meant admitting that terrorists might already be at work in the country, and then finding the best way to help the bureau and other intelligence agencies gather and share better intelligence.

[ Can data analysis apps help catch bad guys? Read more at Big Data Plus Police Work: Good Partners?]

Now it's time for businesses to admit that they also face new types of risks. "Today, with a $500 laptop and an Internet connection, anyone anywhere can attack anyone, anywhere," said Henry. But many senior executives seem to have been slow to catch on to this new state of insecurity. "I still hear from CEOs: why would I be a target? Why would they come after me?" said Henry.

But senior executives must get proactive about combating security threats. To do so, Henry recommends applying 6 lessons learned by the FBI:

1. Assume You've Been Breached. In recent years, forward-thinking CISOs have adjusted their information security perspective. Instead of trying to keep their network 100% secure, they're admitting that preventing every breach is impossible. Accordingly, they need to be able to quickly spot intrusions and then quickly respond.

Unfortunately, not enough businesses have come around to that more progressive way of thinking. "I can't tell you how many times FBI agents are deployed onsite, saying they found data that was breached, because we found all of this company data outside of the network," Henry said. "We sit down with the CISO or COO, and they said it couldn't have happened." But typically, after a bit of analysis, they find that their perimeter security defenses were breached months--and in a few cases, years--before. Of course, because they failed to spot the breach, the business's sensitive information could have been exposed for months or years.

2. Beware Foreign Intelligence Services. Who is best at stealing corporate data? "Foreign intelligence services ... are the most important threat today," said Henry, who said there are dozens of intelligence services with the ability to launch highly sophisticated reconnaissance-gathering operations. When such operations are successful, he said, they put businesses on the opposing side at a disadvantage during negotiations. "It's like playing poker with a marked deck," he said.

3. Get Proactive. "If you agree with the premise that someone has breached your network, that they're already in there, then why aren't you looking for them?" said Henry. "We have to constantly be looking for them." But he pointedly stopped short of calling for hack-back attacks, which he said would break the law. Instead, he recommended counterintelligence, such as leaving "decoy documents"--fake intelligence--to fool attackers.


re: Black Hat: 6 Lessons To Tighten Enterprise Security

While I agree with the majority of points that Mr. Henry is making, I find point number 4 to be somewhat short-sighted and quite telling of his background.

In this day and age, access to information, any information from anywhere, is what drives the private sector. Mobile, nimble, quick to react organizations are more apt to survive in business as opposed to those who can't keep up with the break-neck pace.

Organizations are compartmentalizing data, from what I've seen in the field, but having a desk drawer full of folders in the CEOs office under lock and key doesn't that CEO any good when they're working remotely and need access to that information.

Any time data is digitized, it's much more mobile - but it's also much more vulnerable. Businesses have to determine what their level of acceptable risk is when it comes to deciding what can or should be thrown into their document management system and what shouldn't.

Andrew Hornback
InformationWeek Contributor

re: Black Hat: 6 Lessons To Tighten Enterprise Security

I agree with Andrew. The comments of Mr. Hornback appear not to fully appreciate the demands of what it takes to succeed in the private sector today, or what our most important threats are. The private sector moves at warp speed compared to the public.

Much of the piece is relatively "macro", as there are plenty of threats in our existing infrastructure. For example, yesterday I learned that the cloud service we've used, Egnyte, did not just have a vulnerability (which happens) but failed to have even the most basic controls in place and misrepresented their security architecture (and they're supposed to be HIPAA-compliant).

If you can't even rely on a leading cloud service to provide basic security, aren't we spending too much time worrying about the Chinese?