US Chamber of Commerce hack shows need for vigilance
This week’s high-profile hack of the US Chamber of Commerce underscores the inadequacy of today’s security policies and technologies. With the holidays quickly approaching and IT staffs stepping away from offices to spend time with family and friends, we face increased vulnerabilities and security threats. We should be more vigilant than ever, reflecting on national security policies and how we can better protect our sensitive data.
Stories like this continue to point to the fact that we need a broad, across-the-board approach. We need to collaborate and inform when breaches take place. We need diplomatic support to reduce the desire or economic benefit to steal. It is time to have a Y2K approach to cyber protection. That means investment and support from the top down.
The first step should be whitelisting all of the devices that could have accessed the Chambers’ servers. Access should have been restricted to known and trusted devices. The technology to establish trust in the endpoint is already there, with more than half a billion Trusted Platform Modules (TPM) security chips built into PCs. This simple step has worked for many industries to protect the viability of their networks and business models -- from Comcast to Verizon to Apple.
Waiting for IT to do the right thing is killing us. Perhaps they need regulation to prompt them into action. Perhaps they just need leadership. What’s very clear is that the economic growth of the United States in the future can’t wait for us to take steps to protect ourselves.
We are more vulnerable now than we have ever been, and the faster we dispel the illusion that cyber-attacks happen to someone else, the better off we’ll be. It’s nice to remember the way things used to be, but times have changed. Just because our parents never locked the car or the front door of the house does not mean that we can’t learn to lock the car and the front door. RSA, the leading provider of "door locks" lost the master key and still not everyone changed their locks.
This year’s resolution: "NO more passwords for remote access". Let’s make 2012 the year that every user logs into his device and the device logs the user into the network (the device can be a smartphone or a desktop). Auditors need to be our ground troops. There should be no access to manage servers, access databases where the application does not verify that a known machine is being used. Then we need to check on the list of known machines.
We have the technology. The economics make sense. But do we have the will to enact such a sweeping, yet simple, measure? Historians will label 2011 as the year when our IT security infrastructure failed us. The RSA and Sony breaches, attacks by Anonymous and LulzSec, even Wikileaks drove home to the broad marketplace that when it comes to data security, cyber-attackers can take down systems and steal data at will. We must be vigilant in the next ten days and beyond. Let’s learn from the mistakes of the past year and look forward to a safer, more secure 2012.
Steven Sprague is CEO of Wave Systems. Since taking the company's helm in 2000, Sprague has played an integral role driving the industry transition to embed stronger, hardware-based security into the PC. Sprague has guided Wave to a position of market leadership in enterprise management of self-encrypting hard drives and Trusted Platform Module security chips. His expertise lies in leveraging advancements in hardware security for strong authentication, data protection, advanced password management, enterprise-wide trust management services and more. Mr. Sprague earned a BS from Cornell University in 1987.