(ISC)² Top Executive Underscores Software, Supply Chain, and Cloud Services Security at Major Regional Conference
At the SecureAsia@Manila 2013 conference, (ISC)2 Executive Director W. Hord Tipton underscores the need for software and supply chain security, and holds cloud services as a good option for acquiring the use of systems built and managed with competent information security and relevant best practices.
SecureAsia@Manila 2013–eighth in the annual SecureAsia conferences co-organized since 2006 by the International Information Security Systems Certification Consortium, or (ISC)2, and by Information Security Asia—was held at the Makati Shangri-La Hotel last month.
Described as the world’s largest organization of IT security professionals, (ISC)2 has over 90,000 members across the globe with around 12,000 or 13% coming from the Asia-Pacific region. Formed at the instigation of the Special Interest Group for Computer Security (SIG-CS) of the Data Processing Management Association (DPMA), (ISC)2 was organized in 1989 to provide vendor-neutral programs for articulating and certifying the competencies of information security professionals. The organization has since evolved into a broader role, adding education and advocacy programs to its certification efforts.
The SecureAsia conferences co-organized by (ISC)2 have become venues for in-depth briefs and discussions on the impact of latest trends, changing threats, and emerging technologies on the information security mission of its members. Conference delegates even earn credits in the organization’s Continuing Professional Education (CPE) program. These conferences get down to brass-tacks and are not for the uninitiated.
SecureAsia@Manila 2013 was endorsed and co-organized by the National Defense College of the Philippines (NDCP) and by the NDCP Alumni Association, Inc. (NDCPAAI). Vice President Jejomar C. Binay, himself having earned a master’s degree in national security administration at the NDCP, gave the keynote address for the second year in a row (he was the keynote speaker for SecureAsia@Tokyo 2012 as well).
This year’s SecureAsia conference was themed “Building a Secure Cyberworld,” headlining five main topics: (1) organized crime, (2) cyber-espionage, (3) mobile devices, (4) outsourcing, and (5) stringent regulatory controls. These topics were named in the wake of Kaspersky Labs’ discovery last January of the Red Storm threat, a computer worm attributed to organized crime groups, that mined infected government and military systems for sensitive intelligence, and that was revolutionary in its infiltration not only of deskbound or portable computers but also of smartphones and other personal mobile devices.
Asked to comment on whether most of the topics were in direct response to Red Storm, (ISC)2 Executive Director W. Hord Tipton illustrated just how quickly the threat landscape can change when he instead pointed out that all five topics underscore the need for application security, a sixth topic that was pushed into the foreground by new information that emerged just recently.
Tipton refers to data in recent Verizon data breach reports showing that 70 to 80% of software vulnerabilities are discovered by third parties—not the software publishers or their customers but individuals and organizations that aggressively seek out these vulnerabilities. The common motive: simple profit.
“There are so many elements of malware nowadays that it’s so hard to keep track of the darned things,” Tipton says. Referring and giving credence to the report of The New York Times in July about nations buying hacked flaws in computer code, Tipton pointed out that most software vulnerabilities are detected and fixed only an average of 312 days after they have been engineered into exploits and deployed into cyberspace. And even before those 312 days to detection and fixes start counting down, Tipton says that “malware can lay dormant for any length of time”—it now appears that the Red Storm worm had lurked for half a decade before it was detected last January.
Microsoft and Google now have to offer bounties for vulnerabilities. “Used to be that you’d get a t-shirt or get named on their website, now you get cold cash,” says Tipton. “They started out paying $3,500. Now Microsoft pays anywhere from $30,000 to $150,000 and the reason they’re so expensive is they have to buy them back from auctions because the people who were finding these for them, historically for a token of appreciation, no longer do that.”
And, if you bring a so-called zero-day vulnerability—a previously unknown software flaw—to Microsoft, “You have to bring a solution to it, you have to bring the fix and patch for it at the same time.” Asked if he didn’t find this counter-intuitive because it makes it easier to sell to others who are not interested in fixes, Tipton reacts, “That’s what drives the market up! That’s what I’m saying. It’s a scary article.”
“If you look at [the list of application vulnerabilities], oh what’s the top ten, you don’t see any change in it,” Tipton says. “You really see what was there ten years ago. And one has to ask, why don’t we have better software? You can tie that to vulnerabilities at any point along the chain, and there’re thousands of them now.” Tipton goes further and says, “If you produce more hacker resistant software by eliminating and not taking so many risks with it, with the software, then you don’t have to wait the 312 days to fix it.”
Asked to comment on how the 2003 Northeast blackout in the U.S. was traced back to an error in the energy management system they were using, the same system being used by the National Grid Corporation of the Philippines (NGCP) which experienced a similar failure during the Luzon outage last May 8, Tipton replied, “That’s the problem I’m talking about.”
“You’ve got your legacy systems that we know were not built with security in mind. The Internet was not built with security, neither were these systems. Particularly, the systems that take care of our critical infrastructure are old, they’re not updated. It’s difficult to keep them updated, they’re very difficult to manage even as they are. And yet, on top of that, we continue to produce the same faulty software.”
Tipton observes that, “It’s an accepted business practice now to build something quickly, upgrade it, get it to market in three months and the software company is off the hook. Who patches it? I have to patch it. I have to hire more people to keep up with the more intricate patches that come up. These patches, they’re so involved that they conflict with each other.
“Ninety percent of breeches that occurred in the last three years could’ve been stopped with simple or medium controls. These were not sophisticated. It’s the basic tactic: we call it blocking and tackling.”
Tipton continues: “Vulnerability exploits, software companies evaluate this stuff by risk. Business owners determine what they fix by the risk and impact that comes from it. And they have scanner systems, they know what these vulnerabilities are. And if it’s critical, they catch it, they fix it. Let’s say its SQL injection. That’s the most common one out there in terms of attacks. It’s almost like they say, ‘well, SQL’s gonna happen, we’ll just deal with it when it comes up.’ I can’t give you an example of a good paragon of a software development company—look at all of them.”
Asked if the SecureAsia conference topic on stringent regulatory controls pertains to software developers, Tipton reacts: “Oh absolutely! Well, I probably shouldn’t say this but if you look at the power within the software companies, look at the top ten capitalized companies in the world, look at the zeros behind their values, that translates to influential political power. And if we look at the nightmares the U.S. has been going through in trying to get its regulations through on improved controls and all, in the infrastructure and the control systems, they can’t get it through congress. Nobody wants to be regulated.”
“What it really comes down to is 90% of our infrastructure is run by the private sector. The federal government telling them what they have to do, what they can’t do in terms of putting them in there—again, companies operate on the bottom line—and replacing all of that stuff to the specifications of the U.S. government just terrifies them, and they don’t want any laws that say that.”
The Philippines is the leader in business process outsourcing (BPO), a sector that is heavily dependent on virtual private networks (VPN’s) and virtualization technology in general. And, last January, BBC News reported on the case of a software engineer in the U.S. who was caught outsourcing his work to China, paying a fraction of his salary for contractors in Shengyang to do his work and even giving them unauthorized access to his company’s VPN. Asked to comment on this case, which Tipton was familiar with, enough to know that the U.S. engineer actually contracted out as many as six of his jobs, he said that this is why he also emphasizes supply chain security and the need for conventions, if not regulations, in BPO services as well.
Finally, on a related topic, with the emergence of cloud services that are themselves built on virtualization, the same technologies that make BPO possible, Tipton says that “the Cloud” could ironically be “our salvation.” With commercially asserted security and integrity, cloud services providers commit themselves and are tangible stakeholders in keeping client data and communications secure, leveraging economies of scale to implement measures and best practices that would otherwise be much more expensive and far beyond the competence of their customers.