Stung by a high-profile denial-of-service attack in December, PayPal's CISO says application layer attacks remain a major threat to businesses in general, which need better defenses and actual testing of the DDoS tools they have.
"We need better planning as an industry," says Michael Barrett, the CISO of PayPal, whose blog site was knocked offline late last year by the political hacking group Anonymous.
During a recent interview with Network World about his major security concerns and priorities for 2011, Barrett also listed advanced persistent threats (APT) as a major worry and the need for legislation to improve Internet security. In addition, he says that the payment card industry (PCI) standards for protecting credit card information need some tweaking to give businesses more flexibility without hurting security.
But as for DDoS attacks, businesses need to plan defenses and confirm how well they will handle real attacks to live networks, Barrett says, because tests in simulated environments don't scale large enough to adequately stress the defenses.
Another problem is that testing the actual network gets in the way of doing business. "We have to do more testing, but we haven't figured out how," Barrett says. "You can't shut off the Internet for a significant length of time."
As for APTs, Barrett says they pose two big problems: how to detect them since they are typically hard to find with signature-based tools, and what to do about them when they are found. APT code is designed to burrow into networks and resist eradication so even if one instance is discovered and cleaned, others remain to carry out malicious activity, he says.
A piece of malware found on a PC, for example, could be a simple virus infecting one machine or it could be the sign of something more sinister trying to steal intellectual property or customer records. An APT sent by a determined adversary likely means there is also a backdoor to let in more malware, he says.
"If you react to one backdoor at a time, you wind up playing a game of whack-a-mole," he says. Plus taking down just one instance of an APT and leaving the rest may tip off the attacker that it's time to enter the next phase of the attack, he says. Honey pots can help determine the nature of discovered threats and whether they represent random infections or sophisticated targeted attacks, Barrett says.
One piece of the solution is better network-based detection tools to augment e-mail, Web proxies, antivirus and anti-malware applications. These additional detection tools should seek anomalous behaviors networkwide so corrupted machines can be found and cleaned all at once to eradicate the APT, he says.
The true size of APT infection is difficult to know because it is so stealthy. "Many CISOs have been operating on the assumption that since they didn't know of anything, there wasn't anything," Barrett says.
On the matter of PCI standards, he feels that businesses need more flexibility in implementing security measures that guard against identified threats. The standards which have been criticized for driving the bulk of security spending for those companies that must comply with them, could use some refinement, he says.
Overall they address important concerns and impose security measures that can only benefit network security, he says. "I simply do not believe that these absolute minimum thresholds will force you to do things you shouldn't be doing already anyway," he says.
But the standards are vague in some areas and others are too specific, he says. For example, under the regulations certain traffic requires stateful packet-inspection firewalls. "What if you used another technology that was the equivalent? Then you'd get in an argument with your QSA [qualified security auditor required by PCI]," he says. "PCI should be more risk-based with more options and less that is prescriptive -- it's both too prescriptive and too vague at the same time."
2011 is a good time for security professionals to help shape needed Internet-security laws, Barrett says. "Technology is not legislators' strong point," he says. "The industry needs to spend some time educating Congress and its staff on issues to ensure what they do makes computing and the Internet safer and not less safe. They need to avoid the law of unintended consequences."
The top issue they should address is enforcement of cybercrime laws. Theft of $10,000 worth of goods online using fraudulent credit cards is unlikely to attract an aggressive prosecution, even if prosecutors knew who did it. The same theft from a brick-and-mortar retail store would attract an aggressive investigation, he says. "It's not lack of interest. It's that prior cases have been based on financial loss. $10,000 is not enough." In prosecuting real-world vs. online crime, there should be no significant difference, Barrett says.
Barrett says the industry should also support creation of a presidential commission to study cybercrime and find out how much is really lost directly or indirectly to cybercrime. He says he's heard estimates ranging from $2 billion to $26 billion in the U.K. alone, and estimates as high as $2 trillion worldwide.
Along with that, the commission should assess how seriously other nations treat cybercrime. For example, he says many people say Russia doesn't investigate cybercrime because of corruption, but that isn't always true. "There may be problems, but it does prosecute and sometimes punishes," he says. The goal should be to figure out how to encourage more reliable prosecutions. "Like terrorism, we need to study other governments and see how seriously they'll treat it."
The Convention on Cybercrime, an international treaty signed by the European Union and the U.S., sets encourages international cooperation in prosecuting cybercrime and setting up appropriate laws to do so. Signed in 2006, it doesn't yet have the teeth to be effective, Barrett says. "The mechanisms are 19th century," he says. "I've never seen a cyber investigator who asked for help [from another country] and got it in less than six months. The bureaucracy needs to be fixed."