Ranum: Be Serious about Cybersecurity
Part II of an Interview with Marcus Ranum
- The conflict between banks and businesses over "What's reasonable security?"
- Healthcare organizations' greatest security challenges;
- The government's role in ensuring cybersecurity.
See part one of this interview for insights on today's biggest security threats to businesses and consumers.
Ranum, since the late 1980s, has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. Welcome to part to of my exclusive interview with Marcus Ranum, CSO of Tenable Network Security. In this part we talk about specific threats to banking institutions, healthcare organizations and government agencies. Let's return now to my conversation with Marcus Ranum.
On another topic entirely, one of the biggest stories this year in financial services has been the ACH fraud and the legal issues that have come up because of it. We have got businesses and banks that have squared off over the question of "reasonable security." In your opinion, who has got the greater responsibility here, is it the business or the bank?
MARCUS RANUM: This is a huge problem, and this is something that I first started talking about how this was going to play itself out as soon as people started talking about electronic commerce. The issue really is that the endpoints that people are using are just simply not good enough. It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.
So my guess at what is going to happen with this is that the banks and the merchants are going to argue back and forth, and in the cases where the banks are able to use their superior financial leverage, the merchants will just get an updated terms of service -- "h]Here you go and by the way, if you have a problem keeping your password secure, then too bad." In situations where the merchants are able to drive enough business, then they will be able to put some controls in there.
Of course, the obvious answer to all of this stuff has always been to use some kind of two-factor authentication, and it has been offered over and over again on the commercial side, and on the consumer side with things like the PIN Pad cards that were available for Ebay and for some of the online stock trading companies. And the consumers just haven't taken it up because, "oh gosh, it's oh so inconvenient."
Well, I think what I think is going to wind up happening is that people are going to realize that waking up one morning and finding that their bank balance is $200,000 or $300,000 dollars smaller is "oh so much more inconvenient."
That balance is going to start to swing back a little bit the other way. I was involved in a case last year where I talked to a gentleman who had his stock account accessed as part of a pump and dump scheme, and as it all turned out he had gone with the low cost provider because he didn't like the trading costs of the larger providers that indemnify the user against that kind of thing. Basically, he cost himself a couple hundred thousand dollars in order to save $9.95.
FIELD: Unfortunately that's happening more often than we can even keep track of.
RANUM: It's a huge problem, and I think what happens with these kinds of things is that once they become a big enough drag on the economy, then they become something that people are aware of, and then people will be a little bit cooler about it.
It's kind of funny because people of my parents' generation -- not that I am calling my parents dummies or anything like that - they are very smart people, but they didn't grow up in a regime where you had to have passwords and you had to control them. Try getting a kid's password for their World of Warcraft account out of them - they are growing up with a strong understanding of access control simply because it is the environment that they are growing up in.
So it is possible that some of this is going to be a generational issue that is going to make itself better, but in order to go in the right direction we are going to have to do something about the endpoint security.
My guess there is that eventually you will get some kind of certified software through the Apple Store or something like that that's available for iPad, and maybe you will have some banks saying "We will only hold good transactions that came through our approved software supply chain from an approved end device ..."" or something like that. I could see how that sort of thing would happen, and if honestly I had enough money online that that kind of thing mattered, I wouldn't hesitate to make the investment in a decent technology that would allow me to trade securely without being at additional risk.
FIELD: Marcus, shifting gears again, healthcare organizations are paying more attention to security now because they are mandated to. Where do you see them facing their biggest challenges?
RANUM: Their biggest challenge is going to be the doctors. You know the doctors are tremendously powerful from a political standpoint inside of a hospital because they are the goose that lays the golden eggs. You talk to doctors, and they basically say, you know, "Information security - I will only do it when you force me to." That's really the kind of dialogue that is playing itself out now is that the industry is being told that you guys have to be a little bit smarter about this.
But doctors have a very interesting argument that they are always able to make when someone talks about controlling information flow. They paint this picture of you being wheeled in comatose and needing your medical records and all of this kind of nonsense, and you know, it's completely fictional, of course, if you think about it because most of the time when you go to the hospital, it's not an emergency, and you have got plenty of time to have all of your ducks lined up in a row and so forth before you go in there.
I think most people probably wouldn't have a problem with carrying their own medical records in some sort of a medium, but the other piece of that, too, is that most users, most medical users rightly don't really care a whole lot. I mean, I would publish my medical records on the internet; I really don't care. There is nothing in them that would embarrass me, and if there was I probably wouldn't care, and I would still publish it because who cares?
The place where it is going to get interesting for Medicare is when the bad guys start figuring out how to monetize patient records. There is a little bit of that starting to go on now where insurance fraud is being perpetrated using stolen information from medical records.
That's going to wake people up. I think that the medical industry has gotten away with being pretty shoddy about keeping its records for a long time, simply because credit cards have been such a bigger target, and other access rights have been a bigger target, so who needs medical records if you can get somebody's online stock trading account information? So I think the bad guys have been ignoring medical informatics just because it's not that interesting, and that could change.
FIELD: Now we've got a government, a federal administration that is avowed to cybersecurity. Where do you see the federal government's role in ensuring that we are better off -- that we are more secure a year from now online than we are today?
RANUM: The obvious thing that the federal government needs to do is to actually practice what it preaches, which is to say if somebody or a federal agency is being expected to keep its information secure, then they need to actually do it.
I think it has been pretty disappointing to see that when they put in the FISMA guidelines that a lot of organizations were just cheerfully getting D's and C's and F's and so forth for quite a long time. I think you need to start holding management accountable for security breaches in the federal government, and it's kind of joke about nobody ever got fired from the government for incompetence, but that's kind of how it seems to be in federal IT anyway.
I think probably the best thing to do, if some changes were going to be made in the right direction, is to start holding people accountable for breaches just like they are in the private sector. If you are the CIO of a private sector company and your customer database leaks out because you ordered a hole punched in the firewall, so that you could play some online game or get to Twitter or whatever, you are not going to be working there pretty quickly. Whereas in the federal government, if you have made a hole in the firewall so that you could play some game, you know it will get closed for a week or two weeks, and then it will get turned back on quietly when the media spotlight has moved into a different direction.
I think the federal government has serious, serious issues because they have adopted the internet, but I don't think they really understand the implications of what it means to connect trusted and important civil operations to an untrusted, completely chaotic network. That kind of really hasn't been internalized, and I think it is nice to see that the Obama Administration is talking about cybersecurity, but what really concerns me is the way that they are talking about it, especially with a lot of this yellow peril stuff that they have been talking about with attacks from China and all this kind of thing. I am really afraid that it may be that there is less cybersecurity going on and just more "Let's just hype this thing so that we can get our budgets boosted," and I don't think that is going to help very much.
FIELD: Well, do you foresee any significant talk turning into action from the administration or is it just going to move onto other topics?
RANUM: I think it is going to just continue to be an ongoing pressure. The administration is doing pretty much what they all do, which is saying we are taking cybersecurity seriously this time, which we have been hearing a litany of that for the last 15 years out of Washington. I think what is going on is that the hope is there is going to be a constant drumbeat of "We are taking it seriously now; I'm seriously serious this time," and if we hear enough of that, maybe we will start taking it seriously.
Because the other side is, well, what else are you going to do? I mean you can't really just go and say "Well, let's stop all forward motion, all programs and reassess them and reassess whether there is data leakage potentials and national security threats and this that and the other." I just don't see that happening.
Unfortunately, I think that cybersecurity and probably all governments are just going to be business as usual for a very long time.
FIELD: Well, Marcus, we have touched upon a lot. We have talked about malware, and we've talked about fraud and policy. If you could give just a piece of advice to our audience today in what they could do to ensure their own security, what would you advise them?
RANUM: Well, I guess my favorite thing is: I have two bank accounts, one of which I keep my actual money and the other which I keep a small amount of money, and I use that for all of my online stuff. My other account is all locked up, so that basically I have to walk into the branch office in person and sign things in front of somebody who knows me in order to do anything with any of my real money. Not that it is a tremendously large amount of money, but it's all I've got, so I try to protect it, and honestly I have been pretty dismayed at how casual people are with their money. They are going to be the first ones crying for government bailout when somebody tells them "Whoops because of the cybersecurity problem, your bank account just isn't there." So be serious about that - that's my first piece of advice I could say.
FIELD: Marcus, as always I appreciate your time and your insight. Thanks so much for spending some time with me.
RANUM: Well, thanks for having me, it was delightful.
FIELD: We have been talking with Marcus Ranum, CSO with Tenable Network Security. For Information Security Media Group, I'm Tom Field. Thank you very much.