I recently spoke with Lou Modano, Chief Information Security Officer of NASDAQ, and asked him what his greatest fears are right now when it comes to keeping NASDAQ cyber-safe. Of course, there are many threats facing NASDAQ - from criminals to hacktivists to nation states - and the stock exchange obviously has an army of highly skilled information-security professionals, intensive information-security-related training, and a robust information-security technological infrastructure, so my question went beyond the usual technological and human issues, and, instead focused on what risks are hardest to correct even with significant cybersecurity resources. As such, CISO Modano's observations provide insight into the big-picture problems that businesses, cybersecurity professionals, and policymakers should be thinking about.
Modano told me that his two greatest concerns are:
1. The speed at which vulnerabilities are exploited to create cyber-weapons.
It is no secret that, in recent years, hackers have become much more adept at creating cyberweapons to exploit vulnerabilities, and that the time between the disclosure of a particular vulnerability and the creation of a weapon that exploits it has dramatically decreased. When vulnerabilities are found in software, the software makers typically issue patches - that is, fixes that can be downloaded and installed either automatically or manually. Modano pointed out, however, that the because the time between the issuance of a patch and the discovery of weapons that exploit the associated vulnerability in unpatched systems is going down, organizations wishing to stay secure often have a lot less time to deploy patches than they used to have in the past. Because a formal change management process including the testing of patches is needed in order to ensure that patches do not interfere with system functions or otherwise have adverse side effects, organizations face a growing risk of being unable to fully deploy patches before hackers start attacking unpatched systems or of deploying inadequately tested patches. While businesses can work to make their patching and change management process extremely efficient, even doing so does not fully solve the problem - especially in situations in which vulnerabilities are announced before patches are available, in which cases criminals often create cyber-weapons that exploit the vulnerabilities even before the associated patches are released by vendors. We may see an example of this in the near term if Wikileaks decides to publish details of CIA cyberweapons before the associated vulnerabilities are fixed by vendors, and folks have had adequate time to test and install the fixes; such an occurrence could force security-conscious organizations to temporarily disable various online services.
Lesson: Make sure you have an efficient process for obtaining, testing, and deploying security fixes, and be aware of when you may be at risk even with such a process in place.
2. How does the information-security team know what it does not know?
As Sun Tzu pointed our thousands of years ago, it is much easier to defend against attacks when you know your enemy and its tactics. While security professionals do attempt to monitor hacker communication channels for indications of brewing attacks and exploits, one of the greatest problems that defenders face is that hackers are, by definition, one step ahead. Security pros face challenges in getting as much intelligence about what threats are coming - sometimes there are warnings from chatter or from information shared on social media, but sometimes defenders know nothing about a powerful attack before it is launched. Modano pointed out that industry groups and other methods of exchanging information do help - as one organization that detects something anomalous or hostile can share its findings with others both to warn them and to see if others have observed similar potential threats. Even firms that compete for business often recognize that when it comes to information security it is in their common interest to share information about threats that they discover - after all, if a criminal or nation state breaches one of the firms, he/she/it is likely to launch similar attacks against the others. At the same time, however, as Modano noted to me, there is a lack of standardization across federal and state regulators on matters related to privacy, information sharing, breach notification, and other areas of security; a lack of uniformity complicates matters related to knowledge sharing, as not all businesses are subject to same rules and requirements.
Lesson for us all: Make sure you obtain as much relevant intelligence as you can about threats to your business and personal information systems. Industry groups and information-security venues can be one good source of such knowledge.
For insights from other experts who attended the recent NASDAQ - National Cybersecurity Alliance Summit in New York, please see my article 6 Insights From Experts At The NASDAQ-NCSA CyberSecurity Summit.