While almost everyone in modern industry has heard and thought about cyberattacks, breaches, data compromises and defenses, cyber warfare pre-dates the modern computing era. As far back as 1976, when I started my first job in astrodynamics working on Air Force satellites, security was an important consideration–decades before the Internet and our powerful computing devices.
By Michael Miora, SVP & CISO, Korn Ferry
The security story I want to share begins in the late 1970s. As a young UC Berkeley graduate, my attention was on mathematics and getting a job! I never imagined that I would focus on security for the next few decades. I never envisioned myself as a critical decision maker, whose actions would affect the course and success of a multi-billion-dollar, global enterprise.
Understanding this security story will help us all be better at identifying what needs to be protected and how we need to define and design our protections.
With a background in mathematics, I opted to study Satellite Orbit Calculation and Manipulation during my first job. However, my attention was quickly captured by the need to protect the information assets of the 70s against our adversary, the then-Soviet Union.
Today, it is obvious that we need to encrypt the large amount of data coming from satellites and going to ground-based receivers. In the 1970s though, such encryption and protection was beyond the capabilities of the small and low-powered satellite computers. Therefore, we needed to solve this problem using innovations that would use the capabilities we had at our disposal.
Scientists in the early satellite industry designed a process of commutation and de-commutation of data; this was an accidental security design. By having each bit of a downstream represent specific information known only to the receiving equipment, we had a de facto secret required to understand the data.
The Major Transformation
In November 1988, we experienced the first major, though ostensibly unintentional, attack on the ARPANET, the predecessor to the Internet. It was the “The Morris Worm,” which exploited known vulnerabilities very similar to those that still plague us today, including weak passwords, lack of filtering, and trusting outside networks without controls.
At the time, I was working for a major defense contractor that was affected by this worm. We formed a rudimentary team to study the attack and plan how to respond to the future attacks we already knew were going to come. Today, we call this a Security Incident Response Plan!
By the end of the eighties, I gathered all the experiences that I gained from my satellite and defense work to launch InfoSec Labs, one of the pioneering security consulting firms that focused on helping major financial, healthcare, and manufacturing companies protect themselves. I thereby entered an environment where my advice needed to be presented and then sold to clients as reasonable and justifiable actions. We all know how difficult it is to convince top management to spend money on intangible rewards and returns. It was challenging but rewarding to provide advice, help implement that advice, and then witness the result.
We built InfoSec Labs from the ground up without external funding because the Venture Capital firms had not yet fully grasped the importance of security or the role it would play in the coming years.
The Holy Grail: Anti-Virus
“I Love You!” Sound familiar? For those who were using email and Microsoft Word in 2000, you probably know the impact of this virus. This was one of the first major and wildly successful attacks in the history of computing, with far reaching effects that dwarfed the Morris Worm. It was very innovative because it was the first use of embedded macros in a trusted program, perverted to malicious use, and it embodied all the “features” of our modern viruses.
It was at this time that I was approached by some well-established security companies. The reputation of my company and my team attracted their attention, and my firm eventually was acquired by Rainbow Technologies, a major, publicly traded security company.
There were already anti-virus programs and systems available, but this helped spur quicker and more widespread implementation of these protections across industries and companies worldwide. The evolution of anti-virus quickened and increased in its sophistication. So did the attackers.
Over the coming years, there were many and varied attacks, ever increasing in their sophistication. Even last year, in 2018, we saw new forms of attacks that recognized the improving protections and worked to circumvent them. Some of those used normal-looking software that launched and encrypted systems (“ransomware”). Others used stealth methods that did not use files to attack and take over systems; still others used other advanced techniques.
Today the original anti-virus has transformed into anti-malware and Endpoint Detection and Response (EDR) which include sophistication unimaginable even a few years ago, with storage of data and interactions requiring terabytes of storage. Cloud strategies along with global regulations and compliance requirements have made us smarter and caused us to work harder. We all know that compliance does not drive security, but smart security achieves compliance and protects us against the attackers.
Are We There Yet?
In 2017 and 2018, every U.S. voter was compromised. Every Hong Kong voter was compromised. Over the past two years, every U.S. adult has had their credentials and credit information compromised (300 million last year). The European Banking Commission has mandated that all banking compromises in EU be reported to them immediately. Twenty-five percent of all Australian companies were compromised last year.
The attackers work just as hard as we do, sometimes with significantly greater flexibility and resources. Often, these resources and protections are provided by nation states that provide immunity from capture and prosecution. It is our job to coordinate better with each other, to share information and to jointly find newer and better ways to protect ourselves. Let’s not be bashful in telling our vendors what we want and suggesting collaboration and cooperation among competitors and complementary products.
I do that with some success. Though the vendors don’t always follow the advice, their attention shifts to include that thinking.
The Goal of Availability
There is a creative tension between meeting security requirements and achieving business goals. Security is not just technical security; it means working securely and with recognition of required operational security considerations. Business goals require a significant dedication to customer service, translated to keeping systems and applications up and running nearly all the time.
The problem is that keeping systems and services always-on may cause the perceived need for availability to overwhelm the confidentiality and integrity required of systems, thereby compromising security. The resolution is to build business requirements to be compatible with security needs. Business needs should be defined in concert with security goals so that, as the business needs grow, security can grow with them.
The fabric of companies is changing to embrace digital marketing, sales, management, human resources, and operations at every level. This is the much-discussed digital transformation. Our business partners in every aspect of business link with us so we share our business DNA, and the very core of our functions with each other. But we also share our weaknesses. Therefore, our security transformations must include our core synergies and our central business nervous systems so that cooperation and alliances increase our strength rather than compromise our corporate immune systems.
The Next Challenge
Our security journey must continue by more closely integrating security with business objectives. We must learn to speak the language of business, and not expect senior executives to learn the language of security.
According to Harvard Business School: “Leadership is about making others better as a result of your presence and making sure that impact lasts in your absence.”
What we do to help the industry and the profession grow, and do better, will be our legacy.
Disclaimer: The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.