Cybersecurity is a Team Sport, CIA’s Sherrill Nicely Tells FDU/IEEE Symposium
[This fall was an extraordinarily busy one for the New Jersey tech scene, and NJTechWeekly.com was overwhelmed by the amount of reporting required for all the events that were going on. As the holidays approach and the event season winds down, we’ll be presenting our coverage of some of those happenings. Here is the first of two stories about the third annual symposium on Law Enforcement and Cyber Defense at Fairleigh Dickinson.]
On Sept. 30, about 100 stakeholders in the cyber security field gathered at The Mansion, on Fairleigh Dickinson’s Florham campus, to learn more about law enforcement and cyber defense. The event was cosponsored by the North Jersey Chapter of the Institute of Electrical and Electronics Engineers (IEEE) Computer Society.
NJTechWeekly.com stopped by for two presentations, one by Sherrill Nicely, chief information security officer at the Central Intelligence Agency (CIA), and another by David Weinstein, deputy director and cybersecurity advisor at the New Jersey Office of Homeland Security and Preparedness.
Nicely told the attendees that cybersecurity was no longer a prevention area. Companies and governments have to know what they are going to do when someone hits them “because they are going to get in. … Anybody who believes that they have enough cyber defense in place to keep the attackers out forever is fooling themselves.” The odds are stacked up against the defenders. For one thing, attackers can operate 24/7, and “the Chinese are awake when we are asleep.”
The greatest problem from a defender’s perspective is human error, she said. Most of the big government breeches you’ve heard about recently originated when someone thought a particular email was important. They’d open the attachment and follow the link, and that’s when the attack begins.
Nicely explained that one of the easiest ploys used by attackers was an email telling people to click on a link to pick up a fax that was waiting for them. Viruses spread through networks because the administrators don’t lock down the permissions for various systems, she said. The information security group at the CIA works very closely with the systems administrators who set the permissions and access codes, she added later.
She mentioned the Office of Personnel Management breech, in which 31 million records had been stolen. “I heard today on the news that my own agency is recalling personnel from China” because a possible reason for stealing the records was to learn the names of CIA staff stationed there.
“Everything that anybody puts in to get a clearance, to get cleared by the government” for employment, was in those records, including information on arrests, drug histories, contacts, and foreign friends, according to Nicely.
“At our agency we are very, very focused on the two sides of cyber offense and defense,” she said. When working with systems administrators, Nicely’s group doesn’t operate their systems or networks. Instead, it just monitors them, so her group must work very closely with those who do operate them.
“I like to tell my management that cybersecurity is a team sport,” she added.
“What we found most effective is training our defenders … using offensive techniques to think like an attacker, to go after our own systems the same way an attacker would.” That involves “making sure that the group stays current on technology to ensure that we understand what a fire wall switch does, and where it is connected and where the network extends, what’s on the network, what’s not supposed to be on the network … making sure we understand the access controls that are on the system.”
Genuine attackers do the same thing, but in reverse. “Attackers perform recon on the network. They try to understand what is operating and what versions of systems you are running in and where there might be security holes.” They also look at configurations and figure out how to exploit the links. Nicely said that attackers want to know all this before they start, because once they do start, if you detect them, you’ll have a better chance of stopping them.
When it comes to uncovering system vulnerabilities, the CIA has an easier time than many agencies that are trying to operate under the radar. It can ask for all the configurations that are out there and work closely with the systems administrators, “who could be working side by side with my ‘attacker’ as they try to go into their system. … We are actually teaching them how to better defend while we are attacking them.”
Activity monitoring goes a long way towards keeping systems safe, she added. The CIA “attackers” try to do something invasive. Then they ask the systems administrators if they had detected these moves. They show the administrators screen shots, keyboard recordings and other evidence so the administrators can see what these invasions look. With this training, the administrators will be better able to spot incursions, she said.
[A story on David Weinstein’s presentation follows tomorrow.]