ORLANDO – Historically, the National Security Agency may be known for its low profile, but a top official from the NSA’s Central Security Service Threat Operations Center sounded a loud and clear warning that the size and growth of the cybersecurity threat landscape demands the good guys start thinking like attackers.
The threat is huge, it’s real and it’s growing, and if you’re going to defend against the threat, you need to know the threat.
Anthony A. Stramella, special assistant to the director of the NSA
In a Tuesday keynote address at the NSA Trusted Computing Conference & Exposition, Anthony A. Stramella, special assistant to the director of the NSA, explained how his organization has evolved from its origins specializing in over-the-air signal interception decades ago to an era today when one of its primary roles is to identify and counter cybersecurity threats to U.S. interests.
Stramella put forth a flurry of threat statistics and well-publicized exploit examples to illustrate not only the wide variety of business, consumer and government cybersecurity concerns the NSA tracks, but also just how great a challenge the cybersecurity industry faces in mounting an effective defense.
It’s a daunting challenge, he said, because the U.S. is among the world’s most Internet-connected nations in a world where today there are 2 billion Internet-enabled devices in existence, and growth trends suggest that in just four years that number will surpass the number of people on the planet.
Stramella noted that 40 years after the first computer virus, malware continues to increase in sophistication, as demonstrated in recent years by Koobface, Conficker and Stuxnet, to name a few. However, he said, there are more than 68,000 hacker tools available on the Internet, many of which require no special knowledge to be used effectively by an attacker.
Malware remains a high-profile threat, but Stramella cited many low-profile threats that are equally, if not more dangerous for consumers and enterprises. For instance, downloading smartphone apps has become commonplace for many iPhone and Android device users, but he noted 2010 data from mobile security vendor Lookout Inc. that found more than 80 apps in the Android Marketplace collected personal user data and uploaded it in plain text to remote servers. At least one of those apps transmitted data to China.
The lacking security in cheap or free smartphone apps shouldn’t be a surprise, Stramella noted, relaying the story of a friend of his who had a security program with his phone after downloading a 99-cent golf app.
“How much security is built into a 99-cent golf app?” Stramella asked rhetorically. “And people are using these devices for banking and everything else too.”
Hardware presents its share of challenges as well, he said, noting that the U.S. Customs and Border Protection service seized 5.6 million counterfeit computer chips between November 2007 and May 2010, many of which were intended for sensitive military uses.
Stramella touched on the false sense of security provided by passwords too. He said readily available password-cracking tools can crack an eight-character password in not much more than an hour, and more sophisticated tools can decipher a 14-character alphanumeric passphrase in less than three minutes.
“The threat is huge, it’s real and it’s growing, and if you’re going to defend against the threat, you need to know the threat,” Stramella said. “You need to think like the adversary. And that’s so important to develop countermeasures against the threat.”
That effort he said must include encouraging information security experts to take more classes to learn about emerging attack techniques, plus a formal effort among government and the private sector to develop a shared understanding of the threat landscape and the ways attacks can be mitigated quickly so coordinated action can be taken when necessary.
Attendee William Bass with Fairfax, Va.-based SRA International Inc., said he was equally concerned by all the threats Stramella covered, but in particular those that target Internet Explorer.
While he expressed confidence in his organization’s security controls, he said the presentation draws attention to the ongoing risk that an enterprise’s most sensitive data, especially Social Security numbers and customers’ personal information, must constantly be guarded from persistent attackers.