Security Central: Candidates “Address” Cybersecurity in First Presidential Debate, The Yahoo Hacking Saga Continues Thinkstock

Security Central: Candidates “Address” Cybersecurity in First Presidential Debate, The Yahoo Hacking Saga Continues

This week’s Security Central picks apart the responses made by candidates Clinton and Trump regarding cybersecurity during the first presidential debates, dives back into the Yahoo hacking debacle and uncovers new information discovered in the alleged cyberattack on the US Democratic National Committee.  

Monday was the first presidential debate, kicking off the series of three leading up to the election in November. The election, my fellow Americans, that is just a little over a month away. I’ll let that sink in for a moment…

For 90 minutes, both candidates volleyed back and forth on some of the big issues facing our country, trading insults and pained facial expressions throughout. One of the segments of the debate, entitled “securing America,” addressed the issue of cybersecurity, a worryingly under-addressed issue in the race thus far. The question brought up the astonishing number of institutions under cyber-attack in today’s world. Channel partners peddling cybersecurity solutions have been trying to find a way to stop (or, more realistically, recover from) business cyber-attacks for years. Government, it seems, is just now starting to realize the severity of the cyberthreat it’s facing. Typical.  

Related

Security Central: Russian Hackers Target American Olympic Athletes, Web-based Threats Decline .

Security Central: Yahoo Hacking Sets Record for Largest Breach, New Report Cites Dizzying Malware Statistics

The candidates were asked two things - “who is behind it?” and “how do we fight it?” The answers given by Clinton and Trump varied greatly, but they did agree on one thing: cybersecurity and cyberwarfare will be one of the biggest challenges facing the next president. We spoke with several industry experts after the debate to get their read on the matter and their take on the candidate's’ responses. The answers we got back makes it abundantly clear that whoever becomes the next POTUS certainly has their work cut out for them, not only to mitigate the risk, but to educate themselves on the true nature of the threat. This isn’t a war you can win by having the biggest guns or the loudest roar. And in the view of many experts we spoke with, it’s going to take a level of cooperation with the private sector (read: channel) that’s rarely seen.

Both presidential candidates are absolutely correct that cybersecurity and cyberwar are going to be the biggest challenges facing  the future candidate of the United States of America,” said Joseph Carson, CISSP at Thycotic, told The VAR Guy. “These challenges will come from all aspects whether it is cyber criminals, nation states or cyber terrorism. The economic impact will be enormous and therefore it must be the highest priority for both candidates to get this right. However, it did not appear that either [candidate] had a concrete plan to address the issue other than the United States should have superior ability defend against such attacks.”

This seems to be a disturbing sub-trend going on in discussions about our nation’s security among the highest levels of governement, the almost “you can’t touch us” attitude when it comes to our country’s cyberdefense abilities. We all know what happens to the character in movies and TV shows who gets a little too big for his britches. In this case, it’s a pretty scary mentality and narrow view when you consider the entire security puzzle. The “ability to defend,” while certainly crucial, is only one of the pieces.

“We are fortunate in the United States that we have access to the greatest technology in the world for both cyberdefense and cyberwarfare,” said Ron Heinz, managing partner, SignalPeak Ventures. “We have the technology, this is a management and execution issue.”

Heinz stresses the fact that voters need to decide on a candidate who has an all-encompassing cybersecurity plan, the person who will create that “ongoing sense of urgency and oversight.” Lief Morin, president of Key Information Systems has similar views and shared his thoughts on what this grand, holistic plan should look like.

“Our defenses have to work 100 percent of the time, but the attackers only have to be successful once,” stated Morin. “The government should create a comprehensive plan that includes, amongst many other things, the protection of government institutions and critical infrastructure (even garbage collection is critical), the proactive analysis of appropriate data and supporting actions to prevent cyberattacks in all of their forms, and lastly, the robust and sustained educational efforts to develop and/or recruit new talent to support those plans.”

Therein lies a huge opportunity for the channel. We’re moving into an age when nearly every aspect of society will be connected and, therefore, vulnerable. As the Internet of Things moves from theory to reality, the number of endpoints that will need to be secured is staggering to comprehend. If you’re a reseller or service provider hooking people’s lives and businesses up to the interwebs, you should be emphasizing the critical nature of security and recovery, too.

The constant threat of cyber-attacks on our nation is not just an issue we can no longer ignore, it’s one that demands serious and intelligent action that covers all facets of security - from point A to point Z. Experts such as Carson, Heinz and Morin have been warning of these dangers and touting the dire need for comprehensive cybersecurity plans - both at the national and enterprise levels - for some time now. Take this as your cue, candidates.

In an almost too-perfect segue, we now turn our attention to Russia and the hackers responsible for the alleged cyber-attacks on the DNC. This story involves a tattooed 26-year-old named Vladimir M. Fomenko, his server rental company and the F.B.I. The plot thickens…

On Tuesday, The New York Times reported that Mr. Fomenko was recently discovered as the owner of a server rental company called King Servers that reportedly hosted six of the eight IP addresses used in the attacks on and exposures of Democratic National Committee (DNC) emails. According to the Times, Fomenko was recently identified by American cybersecurity company ThreatConnect as “the manager of an ‘information nexus’ that was used by hackers suspected of working for Russian state security in cyberattacks on democratic processes in several countries, including Germany, Turkey and Ukraine, as well as the United States.”

To add to the already-intriguing plot, Fomenko has proved to be somewhat of a confusing blend of cooperation and slyness in dealings with authorities. He seems eager and willing to offer up critical information and work with the F.B.I. on the case, but the details he has offered thus far have been vague and veiled with a side of coy.

“If the F.B.I. asks, we are ready to supply the I.P. addresses, the logs (internet protocols which identify a specific web page or device),” Fomenko said. “But nobody is asking. That is a big question.”

If that’s true, then somebody better start requesting the info from this guy because we’ve all seen how difficult it is to navigate the impossible waters of international cybersecurity. I offer for your consideration the recent verdict handed down by the Second Circuit Court of Appeals in U.S. vs. Microsoft, ruling that the U.S. had no right to go after information stored on servers outside the country. If our government can’t even get information from a U.S.-based company because their servers are in Ireland, how in the world will they make any headway in this or any other international case?

In this instance, we have Fomenko, a Russian national living in Siberia, who allegedly ran cyber-attacks on Germany, Turkey and Ukraine, as well as our own great nation, then stored the information on servers in the Netherlands and possibly other locations. Security researchers and experts have said that the hackers who used Mr. Fomenko’s server were “looking to manipulate multiple countries’ democratic processes.” Talk about a compliance nightmare. Whoever wins the election in November is going to need their own trusted advisor to help them figure all that out.

Russian officials have of course been quick to deny any involvement in the hacking, but nobody is buying it, especially considering an interview earlier this month in which President Vladimir Putin boldly asked Bloomberg, “Does it even matter who hacked this data?,” implying that the information leaked and the revealing story it told were more important than the source. “The content was given to the public,” he added.

Oh, Putin. The world just wouldn’t be the same without your terrifying lack of concern with the opinion of...well, anyone.

To close out the week and continue our theme of threats from nation-states, new-ish developments on the Yahoo hack-pocalypse have surfaced. The New York Times published an article on Wednesday comparing the security strategies of Yahoo and Google in a breach that occurred six years ago by Chinese military hackers. The story is a revealing and rather scathing one - the technology version of Goofus and Gallant.

When the attacks happened six years ago, Google co-founder Sergey Brin sprang into action and responded by making security a “top corporate priority.” The company hired hundreds of security engineers, invested hundreds of millions of dollars in security infrastructure and adopted the internal motto, “Never again,” a vow that it would never again allow anyone to penetrate Google customers’ accounts.

On the flipside, Yahoo was slower to buckle down and invest in the same kinds of defenses. At the time, there were quite a few competing priorities in terms of new product developments and user capabilities, so security improvements fell by the wayside. When it came to security demands and costs, other parts of the business butted heads with Yahoo’s security team. Security concerns were viewed as an inconvenience and were often overridden. It even went as far as the security team being dubbed the “Paranoids.”

Obviously, Yahoo’s lack of action and irresponsible path had pretty dreadful consequences, resulting in a series of embarrassing security failures over the last four years - the most recent being the most epic. Perhaps now Verizon can turn Yahoo into a “Gallant” and become an advocate for integrated, complete "turn-key" solutions and comprehensive security tactics and plans. The solutions are essential, the implementations, trainings and education aspect are vital. Guys, it’s time.