Combating cyber threats
Insiders visit UD to share insights at cybersecurity conference
9:27 a.m., June 3, 2015--Today over 15 billion devices are connected to the Internet; in the next five years, that number will grow to 50 billion. With each new device presenting an opportunity to be infiltrated and compromised by hackers, it’s easy to understand why the importance of cybersecurity continues to skyrocket.
So explained keynote speaker Elizabeth Petrie, director of strategic intelligence analysis for Citigroup, who kicked off a one-day conference at the University of Delaware on cybersecurity issues impacting the global financial industry.
From graduates, faculty
The SWIFT Institute partnered with UD’s Cybersecurity Initiative (UDCSI), Alfred Lerner College of Business and Economics and College of Engineering to host the conference, which Petrie called a step toward better industry communication about cybersecurity.
Collaborative conferences like these are critical, she said, because attackers “could go after your major competitor today, but they’re simply going to pivot and come after you tomorrow if you have the same vulnerabilities.”
During her presentation Petrie set the stage for the conference’s discussions, describing the current landscape of cyber threats and the evolution of hackers over time, including nation-state actors, cyber criminals, cyber terrorists and hacktivists like Anonymous.
These groups have shifted from what Petrie calls “hacking for fun” to “hacking for profit,” to now “hacking for destruction.”
As businesses continue to digitize their records, she continued, increasing amounts of data are also at risk.
From recent high-profile hacks of corporations like Sony Pictures and Target to hacks of small businesses’ unencrypted records, Petrie explained that the costs of such attacks in the U.S. total over $113 billion, and could grow to $3 trillion in the next five years.
“What that means for some corporations is that if they are not appropriately postured in cybersecurity, they could potentially go out of business,” she said.
“But there is good news: There’s a lot that we can do about this,” she continued, walking the audience through an “anatomy of attack” and corresponding responses.
Tools available for businesses discussed both by Petrie and by other presenters throughout the day include data protection, vulnerability assessment, incident management and more. Petrie discussed businesses that hire hackers to find vulnerabilities in their systems, and others who run simulated hacks to practice their response.
She said that another promising tool lies in the growing field of big data, which allows professionals to utilize data to proactively examine the threat stream.
She added that the financial services industry must be a leader because their services “are truly at the heart of all business that is being done,” making them a “highly valued target.”
Petrie also emphasized the importance of securing not just a company’s computers, but the employees working behind the computers as well. Insider threats – both unintentional and malicious – make up a sizable percentage of the threats that companies face.
Conference panelists, including cybersecurity experts from a variety of businesses, governmental and academic institutions including the FBI, Deloitte, IBM, Barclays, AT&T and others, shared their opinions on similar issues.
The panel discussions were conducted under the Chatham House Rule, which is designed to encourage open discussion by allowing those in attendance to share information without commentary being specifically attributed to individuals.
“Cybersecurity is not a technology problem; it’s a people problem,” said one panelist of insider threats.
The panelist explained that employees “may become disgruntled, upset, annoyed at their employers, annoyed with life.”
“That may lead them down a road that they never intended when they first joined an organization,” the panelist continued.
Another panelist explained that companies are beginning to utilize big data to identify employees who could present a security risk. The panelist calls these at-risk employees “falling stars.”
“A falling star is someone who is no longer getting tasks or information being pulled from seniors, so their position is being diminished in some way,” the panelist said. Falling stars also are, he noted, “not as active in communication with their peers, and the flow down of information to subordinates cools off, while communication patterns outside of the organization begin to grow.”
This is one way, the panelist said, that companies can implement preexisting in-house data to improve cybersecurity.
Panelists also provided practical advice to conference attendees seeking to stay ahead of the curve in what participant Craig Young, chief technology officer at the SWIFT Institute called, “an arms race between hackers and financial institutions.”
One panelist recommended the use of control frameworks, which allow IT auditors to assess various areas of company performance to determine strengths and weakness. Auditors can then recommend dozens of best practices to improve weak areas.
Another participant said that the most effective programs are those that bring an “organic art” to the problem, involving collaborations between IT professionals and employees with deep understanding of the company’s business, culture and networks.
In a session that focused on cybersecurity tools, the panelists agreed that one of the major obstacles facing the industry is the tools used to monitor and analyze the data don’t “speak a common language” and don’t work well together.
Another noted that “security noise is the biggest problem we have,” explaining that a system can produce “hundreds of thousands of alerts per day,” of which only a few are important and worth notice.
All also agreed that cybersecurity tools could be made stronger by standardization of information across systems coupled with simple training and education. It was stated that phishing – an illegal attempt to gain sensitive information online, often for malicious purposes – accounts for 80 percent of cyberattacks and could be reduced dramatically just by making users aware of how to safely navigate the Internet.
Chairing the conference was Starnes Walker, founding director of the UDCSI and former chief technology officer for the U.S. Navy's U.S. Fleet Cyber Command, director of research at the U.S. Department of Homeland Security and technical/executive director at the Office of Naval Research.
“The University of Delaware has the advantage of being located in the corporate capital of America and halfway between the commercial capital of New York City and the military and intelligence capital of Washington, D.C.,” Walker said.
“As such, UD’s Cybersecurity Initiative is uniquely positioned to be a bridge between our nation’s best experts from government, industry and academia.”
“Cybersecurity is not the next big industry; it is the industry,” Petrie said during her keynote speech. “We are all in it today, actively working together to figure out how to mitigate the threats that are coming at us each and every day.”
Article by Deborah Blanchard and Sunny Rosen
Photos by Kathy F. Atkinson, Doug Baker and Wenbo Fan