Cybercrime and threat managementDate: May 20, 2009
It's no secret that cybercrime is an ever-growing issue for today's security professionals, but what roles and responsibilities need to change as a result of the glut in illicit cyber activity? In this video, Bill Boni, VP of information security and technology at Motorola, discusses the changing landscape of cybercrime, and how to react to it.
About the speaker:
Bill Boni is one of the leading information risk management practitioners based in the USA, with broad experience in all aspects of creating, sustaining and transforming protection organizations.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact firstname.lastname@example.org.
Cybercrime and threat management
Mike Mimoso: Hi, I am Mike Mimoso, Editor of 'Information
Today I am going to be talking about cybercrime and threat management
with Bill Boni, Corporate Vice President of Information Technology and
Security at Motorola. Thanks for joining me today, Bill.
Bill Boni: It is a pleasure to be here, Mike.
Mike Mimoso: What concerns you most today about the state of cybercrime?
Bill Boni: The biggest concern I have is just that the personnel, security
practitioners, organizations, aren't really yet paying attention to
This the way I think they need to. There has been a lot of
the last five years. We have done a good job in a lot of our
information security responsibilities. This is a new challenge that is
going to require new ways of thinking about our roles,
responsibilities, and changes to how we operate if we are going to
effective in confronting this challenge.
Mike Mimoso: What are some of those new ways of thinking about cybercrime that you
are talking about?
Bill Boni: I think most important is the absence of disruption or visible attack
does not indicate that you are, in fact, secure. During the bad days
of the mid '90s and through the early 2000s, we had a lot of high
profile cyber attacks involving viruses and worms, very disruptive.
They impacted the availability of IT systems, and everyone understood
there was a problem, and the problem was confronted. We went out and
put patching systems in, intrusion detection prevention systems,
updated our antivirus and the problem has now been solved, or so it
might seem. The fact that we are not seeing that kind of disruption
does not really indicate that we are secure; it just means the attack
vectors have changed. There is a lot more attention now by the
attackers on remaining stealthy, undetected and coming in below the
radar. Practitioners that do not pay attention to that development, I
think are operating in a false sense of security.
Mike Mimoso: Does the stealthy nature of today's cyber attacks put more emphasis
on technology countermeasures or on people and process
Bill Boni: I think there needs to be equal measure amongst those three because
exclusive focus on technology countermeasures runs the risk of being
ineffective whenever people get tricked into doing things they should
not. The whole phishing phenomena has been very ineffective in some
areas but is becoming increasingly more sophisticated and subversive,
tricks people, and the fact that a person with, perhaps
administrative privilege on their accounts goes to a website, thinks
they are doing something appropriate and legitimate, but while that
link is clicked then a very targeted malware download takes place in
the background. Now, the security of that system has been compromised
and a beachhead established inside the perimeter that might be
exploited by the people that actually put that payload in place.
Mike Mimoso: How does cybercrime change your mission as a security practitioner?
Bill Boni: I think to be effective in dealing with the risks that cybercrimes
bring to all organizations that use the internet and in the 21st
Century, that is basically every organization, whether it is in the
private sector, governmental, or an academic institution, our global
society is increasingly leveraging the global internet. What we have
to understand is, the threat can come from both outside or inside. The
perimeter defense, although still a necessary part of our safeguards,
is no longer sufficient. We have to be informing ourselves through
every means available, whether that is publicly available information
through publications like security magazines, official information
sources, such as governmental agencies or institutions, or through
sharing information with colleagues and counterparts within industry
or within information sharing institutions. We've got to use every means
available to educate ourselves as to what is going on, how the attacks
are being propagated, and what countermeasures are effective and
Mike Mimoso: Can you assess the state of information sharing as compared to a
couple of years ago?
Bill Boni: I think information sharing among the security practitioners is
getting better. I think there is an emerging understanding and
consensus that it is not only OK to talk with my counterparts in other
organizations, but it is an absolute necessity if I am going to be
effective. I think there is still a lot of work that needs to be done
within the governmental sectors to make it a two-way flow of
information. Some organizations are getting better at pushing, on a
timely basis, information into the hands of the private sector and
academic research practitioners, but I think a lot more work needs to
be done as part of our critical infrastructure protection. I think the
government, the Federal and the State Governments, are going to be
doing that work over the next few years because they are going to have
to in order to be effective in confronting these challenges.
Mike Mimoso: How does cybercrime influence what you do around risk assessment and
your risk management strategies?
Bill Boni: What we do is we use the insight that we gain through the study,
research, and communication we obtain from both official and non-
official sources to help us target our efforts onto the areas where we
think we are most at risk. Increasingly, we are focusing as much on
understanding the motives and the methods used by the computer criminals
as we are the technologies and techniques that are used, so that it
will help us better assess where else we might be at risk and try our
best to, if not get ahead, at least not be too far behind the emerging
threat as it is actually being experienced.
Mike Mimoso: How are threats compounded by a distributed workforce?
Bill Boni: A couple things. First, in a global organization, the workforce is
going to be distributed through many countries. Part of the challenge
there is that the policies and processes that might be well
communicated, well understood in the primary countries of origin or
the principal areas of operation, are less well understood and less
well embraced in other parts of the organization, so additional effort
has got to be made to translate the documentation and the process and
policy documentation into local languages and communicated in a way
that the local staff really can take ownership of their part of the
protection program. It is also important to understand that work
processes have to change in order to accommodate the flexibility that
mobility enables, but that we have to have ways of verifying the state
and condition, particularly of devices and authenticating identities
of individuals, so that the right people are, in fact, getting access,
and we are not making it easier for unauthorized personnel, perhaps
people that have a relationship in some fashion with the company but
are not authorized for that particular information, we got to make
sure they cannot get to it. Therefore, a lot of effort being spent on
architectural efforts to compartmentalize the environment, partition
off the information, prioritize the applications that have data that
is of great concern to the company and being very rigorous about how
we allow, manage, and monitor access to those platforms.
Mike Mimoso: How about the legal question here around cybercrime? With so many
elements organized outside of the US, there are many legal
complications to pursuing cyber criminals. Do enterprises have any
Bill Boni: Officially, there are parts of the United States government that are
at the disposal of the citizenry, that includes companies and
organizations that find themselves attacked. The challenge is that it
is sometimes difficult and always slow, and therefore, the best thing
to do, from an organizational perspective, is to prevent the problem
as much as you can. But then be very well informed as to whom to work with
when something needs to be done. For example, in major urban areas
there are electronic crimes task forces that are composed of law
enforcement, federal, state, and local practitioners from that side of
society, who are experts in how to process and take action. It is
great to have an informal relationship with folks in that community
before you ever need it, and then be able to get timely advice and
assistance if you ever do have to exercise.
At the end of the day, I would advise that people need to understand
that successful prosecutions are possible. We have had cases over the
years where people have been brought to justice outside the US through
the collaborative efforts of both the organizations that were working
to bring them to justice and the law enforcement community. Recently,
one of the major hackers in Romania, who had been thumbing his nose at
the US and law enforcement globally for a number of years, was
arrested and is facing trial. I know some of the folks who are
involved with that, and I am very happy for them, that they were
successful in that effort. It was not easy, it took diligence and
persistence, but it has paid off, and a major threat to particular
segments has been eliminated.
Mike Mimoso: With more outsourcing happening today, how big are the
vulnerabilities introduced by these relationships?
Bill Boni: I think that we need to look at both sides of this particular issue.
I think there is perhaps an unwarranted sense that the people that are
regular employees inside the perimeter of the organization are all
trustworthy and potentially that all people that are outsiders that
work has been sourced to are untrustworthy. I do not think that's
necessarily a valid way to parse this issue. I think the challenge
really becomes on having a very well designed processes for systems
development or for help desk support and controls over what the people
can do, whether they are inside the company as regular staff or
whether they are sourced. It is important to pay attention to the
details and follow up and monitor. Again, because geography can make
it more difficult to do that, I think perhaps sometimes there is less
energy spent on really planning or following up to make sure things
are working the way they are supposed to. My sense is that well-run
organizations, whether they are in North America or elsewhere in the
world, will provide quality service, but they have to be held to that
standard of service. Part of our job as practitioners in security is
to make sure the right measurements and monitoring is part of that
Mike Mimoso: What kind of provisions can be introduced into contract language to
counteract some of these threats?
Bill Boni: I think's important to have a good set of terms and conditions
that are part of the legal contract itself, that specifies things like
the right to audit and inspect, as being part of the relationship. If
there are specific control requirements, individual accountability for
account access, termination of account access within a prescribed
period of time after an individual leaves the employment of the
offshore or outsourced company, following up to make sure that those
things are being done through regular audits and inspections.
The practice of taking a look at each individual relationship as it is
being proposed, what the activity will be, then trying to tailor
additional or supplemental controls beyond that baseline set to be
responsive to the type of data that the individuals are going to have
access to. It may be possible to put additional logging and auditing
tools into platforms for facilities to provide a high degree of
accountability for any action, and training awareness of the personnel
that are involved to make sure they understand that these are the
expectations and that they will be held accountable for those
Mike Mimoso: Excellent. Thank you for joining me, Bill.
Bill Boni: It's a pleasure.
Mike Mimoso: For more information on cybercrime and threat management, go to