Cyber security: Is the threat overblown?

Monday, April 30, 2012
By: David L.

The news has been filled lately with calls of urgency regarding Cyber Security (or the lack of) within both private industry and government/military.

At a recent conference, FBI director Robert Mueller said: “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again,” “Maintaining a code of silence will not serve us in the long run.”

Certainly, there is an element of marketing involved in articles and speeches, but the threat really is urgent – probably more urgent than most private corporations would like to know.

Whether you agree with CISPA or not, you should at least skim over the actual bill rather than make decisions based on news analysis. Here’s the link: Thomas official docs CISPA H.R. 3523

We at Thunderpaw have been discussing the private sector and what we’ve seen as some very serious problems with Cyber Security.

Unfortunately, few private companies take IT seriously, let alone security and cyber security. But who can blame them? There’s no fiscal reason to protect privacy – no repercussions that can’t be glossed over with marketing doublespeak. An MBA typically only cares about short term bottom line, which rarely allows for doing things because it’s the “right thing to do.” This mindset needs to change in corporate America, now.

Not only are your corporate assets and Intellectual Property (IP) valuable, they’re worth protecting. The intern or kid who “knows” computers isn’t going to be able to effectively protect your assets.

Yes, it’s tempting to just throw up your arms and give up. But that is not the American Way (trademark, pat. pend.)! We thrive on adaption. Take a good, hard look at your corporate structure. Do you even have an Information Security Officer? Someone who’s duties involve protecting your physical and non-physical assets? Do you have procedures in place to protect laptops that your sales folks wander the world with? Are they encrypted? Do your employees click on email links and infect your corporate network with remote control malware? Does your “safe” disposal of old systems and laptops involve hiring “some guy” to come pick them up?

Security is a continuous process, not a single purchase item. We, at Thunderpaw or one of the corporations we have teaming agreements with, can certainly assist most corporations with establishing decent security. The DoD and federal government wants to assist private industry as well, and there are numerous documents which are free and designed to help.

Finally, we at Thunderpaw do not have an official or unofficial position on CISPA. We deal with many corporate systems which have been compromised, along with preventing such occurrences in the first place. No matter what happens with CISPA, it won’t change the fact that more companies are in the first category and less are in the second. People and corporations need to take an active role. If you have questions or need help, give us a call or send an email.

The threat is real. The next step is up to you.

-David L.
Maryland, DC, Northern Virginia

Sources and links:
NSA/CSS has numerous publicly available fact sheets and recommendations:
NSA/CSS Fact Sheets

Library of Congress- Thomas: H.R. 3523 CISPA
H.R. 3523

CNN: FBI Director: Cybercrime will eclipse terrorism:
FBI Director on Cybercrime

CNN: New cybersecurity reality: Attackers are winning
New cybersecurity reality: Attackers are winning

Defense Systems: US’ intellectual capital is easy prey
US’ intellectual capital is easy prey

Darkreading: Nissan Hack
Nissan Hack

Additional articles (5/12/12)
Hackers get into University of Maine, again. Credit cards and Social Security numbers stolen

Additional information sources

5/29/2012
InformationWeek: Data Breach costs Massachusetts Hospital $750K InformationWeek article, hospital settles lawsuit after losing 473 unencrypted backup tapes containing personal information including social security numbers and medial diagnoses of 800,000 people.

5/30/2012
Campustechnology: U Nebraska Breach Could Hit 654,000 Student Records a cyber attack against an Oracle PeopleSoft has resulted in the theft of banking information for up to 30,000 people, in addition to other records for up to 650,000.