Dell on cyber security: You're screwed
I’m at the Dell Analyst conference this week and the Thursday morning session was all about security.
The track was well attended, likely because a lot of people have become very concerned about security thanks to the news that hackers from China have managed to compromise a number of companies along with US weapons systems under development.
Simply put, it is increasingly obvious that we are in the midst of a cyber-war. Truthfully, we have been enaged in one for some time but seem to avoid talking about it. Interestingly, Dell's Chief Security Officer is a guy who apparently received a number of awards from the FBI. Plus, the company has acquired a number of security companies over the last several years. As such, they are one of the few firms that integrates physical security (how you move around the Dell campus) with cyber security. As such, Dell is arguably one of the most secure firms in what is traditionally a very security conscious segment.
I’ve covered or managed security for most of my life and actually spent a short time in law enforcement. One of the things Dell said (quoting a US General) that resonated with me was “when it comes to national security you depend on the Federal Government, when it comes to personal security you depend on the local police force, when it comes to cyber security who do you depend on?” Dell’s CSO argued you need to look in the mirror and for most of us that means we are screwed. Let me explain.
The Changed Security Landscape
Back when I started in security most of the threats were physical, as cyber issues were mostly limited to viruses that kids wrote to be annoying. Yes, the viruses certainly had the potential to be damaging, but they moved slowly through something we termed “sneaker net” by inflected floppies. They could do damage but they were relatively easy to contain and the serious attackers needed to generally gain physical access to systems to pull off information. And while there were a number of such instances, generally they were by employees acting badly. That was the 1980’s.
1990’s: Microsoft Hate
This all changed rather dramatically In the 1990’s when there was a growing dislike of Microsoft, as well as a major attempt damage the platform. Back then, networks allowed viruses to move more quickly and cause more damage. This is really when the traditional security firms came into their own, even if theft was mostly still targeting physical access.
2000’s: Criminals Get Serious
During the 2000’s, criminal organizations in Eastern Europe began to execute very targeted economic attacks. Political groups also targeted web sites they didn’t like and denial of service attacks spread against both public and private sites. Nevertheless, most of the financial attacks against large companies weren’t reported and policies regarding whether customers should be told, along with what expenses the compromised companies should cover, were drafted. In addition, identity theft became one of the more troubling and costly trends. Identity protection firms started to appear but physical and cyber security largely remained distinct even though we were increasingly seeing blended attacks which could have elements of both.
2010’s: Cyber 9/11 - War
In our current decade, we have governments like Iran and China aggressively using cyber-attacks to acquire information, damage development, or perhaps most frightening, shut down utilities. The very sophisticated viruses that result can easily spread to private companies and individuals are doing massive damage. In the criminal space, and particularly out of Eastern Europe, there are attempts to capture banking passwords and IDs to gain access to accounts and most recently execute wire transfers which don’t have the protection that you typically see over checks and credit cards.
The US Government is talking about the coming Cyber 9/11 and we are all waiting for the “Pinto” moment - an attack so damaging it basically forces a large visible company to fail. Something a large enough non-recoverable bank transfer could do. Oh, and on these wire transfers, apparently the practice is to execute a large number of them followed by a targeted denial of service attack so the transfers can’t be stopped. Imaging your bank or Credit Union suddenly failing because it was drained of money.
Wrapping Up: We’re Screwed
Currently, the majority of Android products have been compromised in some way largely because Google didn’t take security any more seriously than Microsoft did in the 1990s. We know that viruses are running around on most PCs which either don’t have or haven’t updated their Anti-Virus software even though Microsoft now provides a basic product for free. Most company security efforts aren’t integrated and the majority of security breaches aren’t reported - so the sheer size of this problem really isn’t known yet. However, what is reported definitely has most security experts scared half to death.
Individually we don’t really have the tools or protections we need and neither local law enforcement nor national law enforcement is adequately funded or staffed to protect us and we certainly aren’t adequately trained or equipped to protect ourselves.
What you can do is watch your passwords, don’t reuse them widely, and when offered employ multi-factor authentication (that stuff where you use your pet or mother’s maiden name), although you should make sure to put in things that folks can’t find on the web. For example, enter your first car make for your dog, or your first girlfriend’s name for your mother’s maiden name because that stuff is a bitch to figure out. Monitor your bank, investment, and credit card accounts for unusual activity (I’ve had two cards compromised in the last 30 days myself), if someone sends you a link think twice before clicking it (it may not actually be from them), keep your anti-virus software up to date, avoid porn sites, and if your machine starts behaving strangely think about a deep scan or maybe even re-imaging and replacing it.
You might also want to make sure you have a generator and that your disaster supplies are current in case of a major utility failure and have rally points in the event of a major communications failure (both are increasingly likely).
But, in the end, until the Federal Government and local police step up to this threat which likely won’t happen until after either a Pinto moment or the Cyber 9/11 attack hits we are on our own, which for most of us, does kind of mean we are screwed. It goes without saying that if you are responsible for a firm’s security you might want to look at Dell’s solution because they are one of the few firms in their class that is, in my opinion, approaching security with anything close to the emphasis needed.