As a former New Yorker and regular reader of the New York Times, I was appalled when I read about the recent security breach yesterday. Appalled but not surprised. Regardless of the security talents and controls implemented at the NY Times, the bad guys were easily able to find a back door or open window and get inside.
I’ve done a lot of research on cybersecurity and APTs so allow me to offer a few random thoughts on the breach itself and its implications.
1. NY Times CIO Marc Frons is getting a lot of air time as a result of the breach. I heard one interview where he said that the best solution here is better user education. To paraphrase, Frons said something like, “we need to educate our users so that they know not to click on links or open attachments in emails.” This strategy may lower risk by some incremental amount but with all due respect to Mr. Frons, this really won’t work. Sophisticated hackers vs. employees is a complete mismatch. Educate users? Yes. Expect measurable improvements from user training? It’s not gonna happen.
2. The security breach at the NY Times clearly illustrates the need for a new endpoint security model. AV software may be a compliance requirement and a best practice, but it remains blind to modern 0-day and polymorphic malware. Either endpoint security software needs to be improved or it will be replaced.
3. If your organization is not evaluating or implementing Advanced Malware Detection/Prevention (AMD/P) solutions from vendors like Damballa, FireEye, Malwarebytes, Sourcefire, or Trend Micro, then you deserved to be hacked. I’m not suggesting that any of these tools is a panacea but all are designed specifically to find, block, and let you know about advanced malware. Some combination of these tools should be a first step for all vulnerable or targeted organizations.
4. The NY Times breach is a perfect illustration of why large organizations need big data security analytics. Traditional security safeguards were about as effective as a sleeping watchdog as this cyber crime unfolded. So what did the Times do? Called in Mandiant to gather data from logs, systems, networks, DNS, etc. This is what big data security is intended to do in real-time. While no one likes to see security incidents, the NY Times breach happened the same week that IBM and RSA announced big data security solutions and illustrated a perfect use case for these products.
5. The security industry generally agrees that APTs follow a lifecycle. CISOs need controls, monitoring, and analytics for all of these phases.
6. There is a bigger global political problem here that needs to be addressed. It certainly appears like Chinese cyber espionage is out of control, but the U.S., Russia, Israel, Iran, and other countries are also hacking systems and capturing IP packets at a frightening pace. The Internet has become one big game of Telephone being played by friends, enemies, and double agents simultaneously. We need rules of engagement akin to the Geneva Convention and we need them soon.