By Ibrahim Dabo
@IbDabo
Debora Plunkett, information assurance director at the National Security Agency (NSA), gave the keynote address on the opening day of the 8th Annual IT Security Automation Conference at the Baltimore Convention Center on Oct. 3, 2012.
Ms. Plunkett, whose responsibilities include protecting U.S. government computer networks, highlighted numerous increasing challenges faced by IT security professionals in government, industry, academia, and individual citizens, further noting that these challenges are growing exponentially.
She especially touched on many challenges affecting enterprise IT with the advancement of mobile technology and the need for vulnerabilities to be explored and addressed by cybersecurity professionals.
Ms. Plunkett said the plethora of internet devices used today adds a lot of value to our work but also presents a lot of security concerns.
She said by 2015, it is expected that there will be twice as many internet devices as there are people in the world.
“So every device you own that is connected to the internet in some way constitutes not only a capability for you to be able to be more effective and efficient, but also, from my perspective, an additional attack service that leaves your personal and business data vulnerable to theft or destruction,” Ms. Plunkett said.
She said given the heavy reliance on technology and many different applications that are being used today, any new technology or device that is introduced into an IT infrastructure has a great potential to introduce vulnerability.
“New malware is developed every day, and new variations are generated every second. Some estimates say one million new samples of malware are detected every month,” Ms. Plunkett said.
She said the sophistication of malware is increasing while the life cycle of the malware is decreasing, making it harder and harder for us to be able to track emerging trends and to prevent attacks.
Highlighting a magnitude of the problems, software security provider McAfee recently reported that 1.5 million malware ready software pieces were identified in the April-June quarter of 2012.
Ms. Plunkett cited examples of multiple reported intrusions that occurred in the past 18 months which include the networks of both private and public institutions and organizations.
“The list is really staggering,” she said.
Companies intruded upon in 2011 include RSA, Sony, Citigroup, Lockheed Martin, Northrop Grumman, and Google; and in 2012, Foxconn, LinkedIn and financial institutions as well.
“I believe we can all agree that some of these targeted companies are what we would consider to be among the best at security yet they were still vulnerable to attacks,” Ms. Plunkett said.
She said these breaches combined have resulted in a transfer of wealth that has been estimated as the greatest in human history.
“This is truly highly robbery,” said Ms. Plunkett. “With that lost intellectual property valued at staggering $1 trillion (one trillion) dollars annually, our future is disappearing right before us.”
She maintained it’s not just the big businesses that are being targeted but little start-ups included.
“There is no personal or business network that is immune [to cyber-attacks],” she noted.
“Although our personal and business networks may appear to be secure now, the level and effectiveness of that security measure must be questioned and evaluated any time a new technology or device is introduced into our network,” said Ms. Plunkett, while acknowledging the very real and tough information assurance challenges this poses to cyber security professionals.
“Mobile malware is in fact on the rise,” she said, adding that since July 2011, Google’s android malware has grown by more than 500 percent and indications are of the continued trend in new mobile malware being directed toward all kinds of mobile platforms.
As mobile devices get integrated into enterprise systems, the mobile devices represent a new or expanded attack service for those very enterprise systems.
She said enterprises may wish to impose different information access and authorization policies depending on their method of access and that the market is already starting to offer products flexible enough to do this.
“In a secure enterprise, we want to be able to exercise administrative control over our devices and over our data. Every mobile device is in an extension of the network fabric. We need to know it’s our users that are authorized to do the work on the device we’ve issued with the software that we’ve put on it,” Ms. Plunkett said.
In order to allow access to the network, we need to be able to determine proof of possession and device integrity in an automated way.
“We need to be able to address mobile devices in an automated way in order to allow us to deny devices that do not meet our policies, to accept devices that are known and are in compliance, and to remediate devices that are known and out of compliance,” she stressed.
Also see:
Ross: We Need To View Security As An Investment In Our Mission’s Success
IT Security Automation Conference Highlights New Security Strategies
