By Mary Frost
Brooklyn Daily Eagle
One of the top minds in cyber security says that the Internet is getting to be scary place.
Internet crime is on the rise and businesses and individuals need to move fast to protect their financial and intellectual property, said Marcus Sachs, VP of National Security Policy for Verizon, speaking at a special lecture on cyber security held Thursday at Polytechnic Institute of New York University (NYU-Poly), noted for excellence in the cyber security area.
Computer crime is no longer the province of amateur hackers and students out to prove their tech cred. The criminal community has discovered that the Internet is the place to go — because, as bank robber Willie Sutton famously said, “That’s where the money is.”
Unfortunately, Sachs says, the rate of innovation by organized cyber criminals is faster than the rate of innovation by those who fight them. A recent Government Accountability Office analysis indicates cyber crime reported by federal agencies alone jumped 680 percent since 2006.
So Sachs, along with a panel of top-level experts gathered for the event — “Cyberspace Allies: How Public/Private Partnerships Can Fight Back” — called for increasing collaboration between the government and businesses.
“There will always be some cyber risk,” he said. “Trying to bring the risk to zero will not work. But we can manage avoidable risk.”
Joining Sachs were cyber security heavy hitters Edward Amoroso, Chief Security Officer at AT&T; William Pelgrin, President and CEO, Center for Internet Security; and Paul Mahon, Assistant Special Agent in Charge of the New York Field Office of the U.S. Secret Service.
Cyber risks are increasing for everybody, from the home user to giant corporations like Microsoft, Sachs said.
The source code for software programs like Windows and Office is available in China and Russia, and up to ten percent of the global supply chain is fake, including military hardware and software. You can easily find phony Cisco interface cards, iPhones and computer CPUs available for sale on sites like eBay and Amazon — and no one knows which of these knockoffs hold hidden computer viruses.
“Even some USB keys in packages are already infected,” he said.
The Internet is a “Large Technical System” that acts chaotically, Sachs said. But the rigid hierarchical structures of government and large corporations aren’t flexible enough to deal with chaos. Instead, organizations have to organize themselves more chaotically.
“Embrace the idea of ad hoc emergence of groups that come together, solve a problem and then go away,” he said. “Failure is normal, so prepare for it. Complex systems fail. The power grid may collapse. Are we prepared for it?”
He urged that business and government agencies share what they know with each other. “The Secret Service picks your brain then goes away. Without a collaborative approach that’s both flexible and highly responsive, we will remain at risk.”
Cyber crime trends
Mobile security is going to be the next headache, said AT&T’s Edward Amoroso. “You push LAN traffic to the Internet, put in firewalls and intrusion protection, then everybody walks in with Android and they dance all around that stuff. Then IPv6 makes everything addressable over 4G networks, so what’s the point of a perimeter any more?”
Another worry, Amoroso said, is the vaulted "cloud."
“Everybody runs to it, but it’s not always clear where the data goes,” Amoroso said.
Center for Internet Security’s William Pelgrin said that the human factor looms large in Internet security. “We all do stupid things.” He cited studies showing that humans do indeed do the darndest things. “When a boss told his employees in an email that an attachment was malicious, 20 percent clicked on it anyway.”
In another experiment, a message popped up on people’s computer screens saying, “Click here to get your computer infected now.” 429 people clicked on it, Pelgrin said.
Pelgrin also urged greater collaboration between the public and private sectors. “In the past when we shared information with the government, we didn’t get it back.” But that’s starting to change, he said. He talked about a small case, initially thought to be worth about $30,000, that led to the discovery of a 19-state Internet scam. “Five FTP servers were collecting information so fast they had to empty the servers on a daily basis. Without information sharing, we never would have known.”
The Secret Service’s Paul Mahon said that since 9/11 the agency has a mandate to reach out to the public and private sectors.
“Corporations worry about their brand. We will keep the information as private as you want to keep it,” he said. “Whether addressing a persistent threat or a criminal on the Cayman Islands, we’ll work the case.”
Moderator Nasir Memon, director of NYU-Poly’s Information Systems and Internet Security Lab, asked the panel what role academia played in cyber security.
“Innovation is the answer,” said AT&T’s Amoroso. “The adversaries are innovative. We don’t innovate in security. We’re held back in many cases by compliance. We need exponential innovation.”
Professor Memon told the Brooklyn Eagle after the discussion, “We have many challenges ahead of us, and information sharing is important. We need to get our act together. We have to share to do better than the bad guys.”
NYU-Poly presented the lecture — the first in a series — in collaboration with the Alfred P. Sloan Foundation. Robert Ubell, vice president of enterprise learning at NYU-Poly, chaired the event.