Q&A: A Word With Security Expert John Pescatore
John Pescatore’s vast experience in the security field is unmatchable. He started his career at the National Security Agency, designed and developed secure communications and surveillance systems for the U.S. Secret Service, was Gartner's lead security analyst for more than a decade, and is now the director of emerging security trends at the SANS Institute. All of this puts Pescatore in a unique position to comment on how security threats have changed over the past three decades.
In this wide-ranging interview, we asked Pescatore for his thoughts on the biggest security challenges facing small and midsize businesses (SMBs) today and what to do about them. We also got his thoughts on cloud security, trusted systems, the rise of biometrics, the biggest bang-for-the-buck investments for protecting client data and more.
BIZTECH: For our readers who may not know, could you tell them what the SANS Institute is and what it does?
Pescatore: Sure, SANS is probably the biggest information security training organization in the world. We train practitioners in all the detailed technical aspects of information security — from forensics to incident response, penetration testing, cyberdefense and chief information security officer management. We also have a securing-the-human program, which is a security-awareness training initiative to educate end users, and a program to educate software developers about how to think about security when they are writing software. So it’s largely a training organization from a revenue point of view. We also do a lot of pro bono community support.
BIZTECH: What does your role as director of emerging trends entail?
Pescatore: A couple of things. I work on a lot of the surveys we do. We survey the security community on things like denial of service [DoS] practices and salaries in the information field. Others address how they are dealing with advanced threats or bring your own device [BYOD], for example. I do an annual trends report covering what’s going to happen in the coming year. I also help the SANS community fight the good fight to advance the practice of security in general.
BIZTECH: What do you see as some of the biggest security challenges and emerging trends facing SMBs today?
Pescatore: Certainly the threats are changing constantly, and the big change here is that threats are much more targeted, and they’ll continue to get even more targeted. It used to be a virus was thrown out there and whomever it hit, it hit. Well, now the attackers are going after specific companies trying to steal specific information or cause DoS attacks against specific systems. And a lot of the older defenses — anti-viral, for example — were based on mass attacks, not unique targeted attacks. These new attacks are also continuing to increase the things hackers do to avoid detection, to be evasive, such as using encryption or finding very quiet ways of breaking in and staying hidden.
Probably an even bigger impact area, which I would like [to] state in [the] broadest term possible here, is the “choose your own IT” [CYOT] movement. You often hear it being called BYOD, with people saying, “I want to use my iPhone at work.” But it is really bigger than that. It’s business units saying, “Hey, we want to use Amazon.com to host this application because they are cheaper than what you guys said it would take to build it.” Or, “I want to use Dropbox so my team can collaborate quickly and easily.”
BIZTECH: So it’s more than just the device — it's all IT.
Pescatore: Unfortunately, much of IT management has been based on controlling the hardware and software users use, and the same with security. We built our security programs around IT controlling the hardware and software. But the game really changes when IT doesn’t dictate everything anymore.
BIZTECH: What can IT do about these new security challenges that are a direct result of it having to let go of control in today’s BYOD and CYOT world?
Pescatore: There are two sides. The responses to the threats need to change. But also, when you think about it, it is also about how IT is changing how it implements security programs.
One area that can help boost security that’s common across both sides is an effort SANS has been championing for the past six years that actually started with the NSA, oddly enough. It is called Critical Security Controls.
These are some good hygiene security habits to follow. It's sort of like how doctors say, “If everybody would just wash their hands more often, they would get sick less, or if you would just wear your seat belt, you would drastically improve your odds of surviving a car crash.” Critical security controls are habits that all organizations need to do to help prevent or survive a network breach.
Target’s a good example, so is Neiman Marcus. Pick any recent high-profile breach and you’ll find that almost invariably they all failed on one or more of what we call the top 20 critical security controls.
BIZTECH: You held a session on that topic last October.
Pescatore: Yeah, we’ve had a number of webinars and local conferences. There was a session other people at SANS did out at the recent RSA security conference on this, as well. So the first thing that enterprises large or small need to do is answer, “How are we doing with the basic hygiene kind of thing?” It’s not rocket science.
CYOT also means you have to rethink some of the older concepts of security. You know, when the PC came along it was breakage. Right. We were used to securing mainframes. And what did we do? We said, “Oh, we’ll put a whole bunch of security software on everybody’s PC, big anti-viral software and all that.”
Well, you know, in the CYOT and BYOT device worlds, you cannot do that. You can’t put huge pieces of software in iPhones. And if the employee owns it, you may not be able to put anything at all on it. So we need a change. And what’s come about is what you’ll typically hear being called mobile device management (MDM).
BIZTECH: Yes, or mobile enterprise management.
Pescatore: The idea there is, how does an employer balance that the employee owns the device with that he or she wants to use it to do work and carry sensitive corporate data and access systems on it? It [MDM] is becoming sort of the standard way of achieving that balance: secure enough to protect the company’s interests and flexible enough to allow the employee to take advantage of the device.
Another way to protect your business is to determine the security level of cloud systems that employees want to use. “Oh, you need Dropbox. Well, we have a secure alternative called Box.”
Trying to say no to these trends — “No, we just are not going to let you use iPhones” or “No, we can’t support cloud-based collaboration” — is not going to work. That fails. MDM is a way to allow the use of different types of devices. The other example offers alternatives to the less secure cloud applications. That way, when business units and employees want to do certain things, they can do so in a secure manner.
On the threat side of things, with these advances and the targeted threats, it really is an issue of, OK, you had firewalls and you had intrusion-prevention systems that worked against all older threats; it’s now time to upgrade them to next-generation products that can deal with these newer threats. One company that’s grown dramatically is called FireEye. They’re an example of a network-intrusion-prevention system that’s very good at detecting these targeted malware attacks. Similarly, next-generation firewalls from companies like Palo Alto Networks have also changed how we deal with today’s threats.
BIZTECH: We’ve had trusted systems — one method for managing threat security — for many years, but there still seems to be some waffling around it. Can you comment on why you think businesses have been slow up to adopt them?
Pescatore: The older definition of a trusted system was when a server had sort of a very special purpose operating system or was very locked down so that it could be “trusted” to block threats. It turned out that these trusted systems were really hard to use and most applications wouldn’t run very well on them. Also, if it was running on, say, Windows or Linux, when the operating system got updated, the trusted server needed to be updated, as well. So it turned out what were classically called trusted systems were so complex and expensive they slowed business down almost as much as an attack. They were something like self-inflected wounds.
Along comes the Apple iPhone, which is essentially a trusted system. It’s got a specially crafted operating system with lots of security built in with sandboxing and other protections. You can’t just run any software you want on an iPhone; it has to go through the Apple App Store. Not perfect but much better than the old model.
The newer definition, or a more realistic definition, of trusted computing that businesses are starting to implement on servers — standard Windows servers, Linux servers, whatever — have started to use concepts like what you see on the iPhone. They use whitelisting on servers to say: “Look, we have a very large list of trusted software that we know is OK, and if the system administrator or database administrator wants to run any of this software on the server, no problem. If he wants to load anything not in this whitelist, he can’t.”
That keeps malware off. It keeps the programs administrators might want to put on to do remote control, or even sabotage it or whatever, off. So that’s one concept of trusted systems today, sever-side whitelisting. Companies like Bit9 and SignaCert sell products in this area. There’s even, you know, Microsoft with what they call App Center in Windows.
Add one more concept and this is where sort of the Edward Snowden side of things enter the picture. That’s the idea of privilege management. Here, you say: “OK, those administrators are just limited. They can’t run any piece of software they want. But we also shouldn’t let them just dump the whole database to a flash drive and take it away.” Because when administrators dump the whole database it should only be for backups.
Administrators should not be able [to] peruse individual records at all, because that’s not what they do. Only customer-services reps or whoever performs individual queries as part of their job should be allowed to do that.
So adding privilege-management-type software to deal with this issue of an over-privileged account causing damage is important — whether it’s somebody like Snowden, who was an insider gone bad, or the case where an administrator’s PC is compromised and some hackers try to use his account to cause problems.
Think of the HVAC [heating, ventilation and air conditioning] contractors in the Target case. Why in the world were there HVAC accounts where they could access anything except the HVAC system?
BIZTECH: It sounds like in general the trend is that things are getting more complicated because the controls are becoming looser.
Pescatore: The controls have always been loose, but the attackers are getting more targeted. So they are saying, “OK, let’s go after the HAVAC guys and see what we can get to from there.”
At SANS we just did a thing with the financial industry up in New York. We had a CIO from a large financial organization that somebody asked, “What did you guys learn from the Target attack?” He said, “We’ve looked at third-party access to our systems, but I never even would have thought to look and see if the HVAC contractors had remote access.”
Turns out, in all the buildings they work in, HVAC systems are reached over the same network that everything else is on. So it’s not that hackers have gotten more complicated necessarily; it [is] just that the attackers are trying all these different paths nowadays. So privilege management, which we’ve known about for years and is one of the critical controls, is important.
There are two critical controls that cover privilege management, actually. There’s control 12, which is controlled use of admin privileges, and then there is control 15, which is controlled access based on the needs to know. So a HVAC contractor has no need to know financial information. If nothing else, Target could have suffered an attack where the bad guys turned off the air conditioning, rather than absconded with its customer database.
BIZTECH: Is there anything like, say, in health care, finance and retail, for example, that changes what security measures a business should take? After all, they all have their own compliance issues to deal with. Or should IT security basically be the same across industries?
Pescatore: Retailers such as Target, in particular, or anybody who accepts credit card payments, has to deal with what are called the payment card industry (PCI) data-security standards. These, unfortunately, were not designed to protect the cardholder. They are really designed to protect the banks and the card brands. Target’s a great example. Target was compliant. They had passed the test for the payment card industry data-security standards, but obviously, they weren’t protecting card data very well. The whole system is set up so merchants like Target will bear the cost of any of these types of incidents.
BIZTECH: Speaking of authentication methods, the iPhone 5 has mainstreamed the concept of biometrics, even though the technology has been around in one form or another for years. Are there real-world biometric security examples that SMBs can benefit from today?
Pescatore: Yeah, and it's definitely not biometrics. I mean, if you notice, the only time you hear about that Apple fingerprint sensor is when people are having problems with it. All forms of biometrics suffer from a particular problem: They are never digital.
With passwords, you either know it or you don’t. With biometrics, sometimes you put your finger on the thing and it says you’re not you. Your finger is greasy, or it’s dirty, or there’s a cut or something on it. That’s the same with facial recognition, anything biometric.
As an alternative to biometrics, you’ll notice the Microsofts, Googles, Yahoos, Facebooks and Twitters of [the] world have been rapidly adopting security systems where users still log in via a password, but they also receive a text message on their cellphone to verify identity.
BIZTECH: Multifactor security.
Pescatore: Yeah. It’s not the most secure system in the world, but it is a huge increase in security over reusable passwords. So we are starting to find that consumers, once they go through an identity-theft attack, where somebody did get their password, they’re perfectly happy to add text messaging into the security mix so they [don’t] have to go through that pain again. Especially for smaller businesses and anyone dealing with the general public, those second-factor authentication approaches that use cellphones are quickly gaining traction.
BIZTECH: It is not like you have to carry a second token on you.
Pescatore: Well, yeah, it avoids what I used to call the yet-another-thing-to-carry problem. You are going to carry your cellphone anyway.
BIZTECH: What are your thoughts on the FIDO Alliance, which is attempting to come up with standards to make biometrics systems biologically agnostic?
Pescatore: Yeah, biometrics — it is one of those things that every couple years there’s a burst of interest in. But there are just some fundamental problems that are difficult to get past. I mentioned the one about it not being digital. The other is, since biometric readers sometimes do fail, you always need passwords as a backup anyway.
BIZTECH: You recently chaired a panel on cloud security at the RSA conference. What should SMBs expect from cloud service providers when it comes to security? Are there any questions they should ask when sussing them out?
Pescatore: Yeah, what it comes down to is that all the major cloud security providers have done two things. One is obtain some level of security certification or blessing of their services. Typically, you’ll see what’s called Sock 2 [Security Organization Control 2]. That’s definitely something you want to ask for.
Another thing you can ask for is if they have achieved the U.S. government’s FedRAMP certification. FedRAMP is the U.S. government’s program that checks out cloud service providers to see if they’re secure enough for federal agencies.
If you find they have Sock 2 or FedRAMP, generally, they are going to be secure enough for any midsized-business use.
BIZTECH: Does the type of cloud platform you’re signing up for matter? Should you still be asking the same questions?
Pescatore: It is all pretty much the same. There are differences if you are using software as a service [SaaS] verse or infrastructure as a service [IaaS]. But the one type of cloud service businesses really need to check on are ones like a Dropbox. The sort of storage as a service offerings out there; because, obviously, when you’re storing your data, that’s sort of the holy grail of attackers these days.
There are a lot of these services that are good, that are very secure and have gotten certified. Then there are those cloud storage offerings that are free and advertising supported that we don’t know if they’re secure or not because they haven’t gotten these types of security certifications.
BIZTECH: So in the cloud world, the SMBs are the clients. But what about when the business itself is the one providing services. What can they do to protect client data? What solutions offer the biggest bang for the buck in achieving that aim when IT budgets are limited?
Pescatore: First, see if you can use secure cloud service to host your services. There are companies like a FireHost — and even the likes of the Verizons of the world that have bought up cloud service providers — that have some very secure cloud hosting offerings third parties can use. Terremark, for example, which is who Verizon bought. These are very secure cloud offerings that businesses can use to provide their own services.
BIZTECH: So you don’t have to invest in your own security infrastructure locally. I assume they support things like end-to-end encryption.
Pescatore: Well, they support things like firewalls-intrusion prevention, DoS prevention. And many of them do have add-on services as far as things like Secure Socket Layer encryption or end-to-end data encryption. Baking in encryption is pretty complicated, and if you can take advantage [of] a larger player already doing it, that’s a much more effective way to go.
BIZTECH: There’s been a lot of talk about the Internet of Things economy, where everything is connected and networkable. What are some of the unique security issues that the Internet of Things presents?
Pescatore: Well, again I will use the Target example as something all businesses should think about. One thing to keep in mind is that a lot of these things are going to be in your buildings, and they are going to be monitoring elevators and power systems and door locks and controlling lighting, et cetera. So number one is, be aware of where in your buildings these new Internet-connected devices might actually be extending your security perimeter.
Just like Target found out that hackers could get in through the HVAC to get access to its network, ask how the guy who maintains the elevator potentially has network access. That’s one big impact of the Internet of Things. The other is the fact that so many of these things are consumer driven, not enterprise driven. They don’t necessarily have the management capabilities that businesses expect.
So, again in SANS, last October we had a Securing the Internet the of Things summit. One consultant came in and showed a little video of how he bought up a bunch of lightbulbs that have Wi-Fi built into them. With these bulbs, a user can individually address recessed lighting in his or her ceiling by turning the lights on and off their phone over Wi-Fi.
Why would you want to do this? He said the top application was [for] you to program Facebook, so when somebody tagged your picture, it would blink your light.
If you think about it, having something like that in your building or retail store could become a way for a hacker to access your IT systems. So I would say most importantly today is to know where these types of things are becoming part of your environment, and make sure that you have them in what we at SANS call the Internet the demilitarized zone — that you have some level of protection between those things and your sensitive systems.
Again, Target learned the hard way. They hadn’t had that zone set up between their HVAC systems and the rest of the network.
