April OWASP – The New Face of Cybercrime

I attended the Fortify sponsored event and showing of The New Face of Cybercrime during Tuesday’s OWASP event at the Blue Ash Citi offices. Major Bruce C. Jenkins, (USAF, Ret.), Security Practice Director at Fortify Software, led the introduction and discussion on the education and awareness of security requirements facing today’s enterprise.

The film focused on the evolution of the attack mechanisms regularly used as well as the motives of attackers. Where a hacker 7 years ago might be driven by the publicity surrounding an attack, hacker motives over time have evolved, and the collection of personal information that lead to its use in other crime has moved to the forefront of motive. So where a criminal at one time might have publicized a successful attack, now an attacker’s goal is to cover the tracks of a successful breach in order to leech all possible value and information before a hole is identified and closed. And where front-line and perimeter security, in terms of firewalls and intrusion detective systems, have been the norm, the current proliferation of web applications means that exploits that take advantage of insecure code parade right on through the firewall as if nothing happened. The code is now not the next line of defense, but the first line of defense. And the IT community must accept the cultural shift and change its practices to defeat attacks at their source – the code level.

The film featured the JC Penny CEO, Myron Ullman, opining that the minute an organization believes the network is impenetrable is the minute it will be hacked. Ullman provided candid and honest feedback about the risks his enterprise faces. And that was a refreshing change.

Then the discussion moved to the breaches at TJX and some of the issues that enterprises face when CEO’s first responsibility lies with shareholder profit, and that in the face of an American public that feels no sense of responsibility and can litigate at will. Only a short time after TJX’s $150M breaches the company experienced some of its most profitable quarters ever. Hmmmm.

Then there are the issues facing Cincinnati locally. I spoke with Wayne Browning and Marco Morana afterwards about some of the personnel issues we face. Wayne, a Citigroup VP and Director responsible for Information Security and Internet Management, talked about the need to find strong security talent, and that they’ve gone as far as they can to find these folks in Cincinnati. The needs locally are two-fold, first to grow information security skill sets in our home town, and two, to convince talented individuals that Cincinnati is a great place to be – and not to be from. Some of the questions we need to answer for ourselves – and I’ve mentioned them before – are how can we make Cincinnati a place that people can relocate to and tell their friends with a straight face. The remote workforce solves this problem to some extent. Still, team continuity is so key to strong implementation of security, bringing people together remains an important aspect to team-building which means distributed teams only go so far.

Bruce recommended Howard and Lipner’s The Security Development Lifecycle as a good read about the security process.

The venue was packed, and Fortify catered in one heck of a spread including some amazing desserts…that I couldn’t eat due to food allergies. They even provided soda, popcorn, and candy for the film 🙂 I had an opportunity to talk with John Knuckles, one of Luxottica’s security folks. We chatted about his work with the CSO and some of our mutual relationships at the Fine Arts Fund. Dan Nusbaum and I found some common ground in our love for cycling. Dan’s currently training for a 1/2 marathon. Sean Darragh, Ascendum’s security practice manager, introduced himself. It sounds like Ascendum has a pretty comprehensive offering where security plays a part. All in all it was a solid evening.

– Andy

~ by Andy on April 24, 2008.