Cybercontrol demands intelligence

 

Connecting state and local government leaders

Brian Kelly is in the alarm business. The retired Air Force lieutenant colonel joined iDefense Inc. of Chantilly, Va., as president and chief operating officer early last year, in the midst of a spurt of Internet mischief involving the notorious Code Red and Nimda worms.

Brian Kelly is in the alarm business. The retired Air Force lieutenant colonel joined iDefense Inc. of Chantilly, Va., as president and chief operating officer early last year, in the midst of a spurt of Internet mischief involving the notorious Code Red and Nimda worms.The Sept. 11 terrorist attacks brought new demands for cyberintelligence as well as a new emphasis on studying the modus operandi of what Kelly calls 'the threat actor' who is responsible for terrorism. IDefense over the years has written more than 14,000 intelligence reports on information security.Kelly formerly was president and COO of Newbrook Technologies, which merged with iMask Inc. of Chantilly, Va. Before that, he headed the e-business security practice at Deloitte & Touche LLP and was vice president of operations at Trident Data Systems before its acquisition by Veridian Corp. of Arlington, Va.He has bachelor's and master's degrees in business administration from Rensselaer Polytechnic Institute.GCN chief technology editor Susan M. Menke interviewed Kelly. KELLY: Wireless is a powerful technology that clearly has uses in the public and private sectors. To just abandon it is too serious an action. DOD should think carefully about how to architect and deploy wireless networks. There are techniques to provide layers of security.The typical problem we see with wireless is a lack of understanding. There are things you can do. But if you employ wireless right out of the box without enabling any of the safeguards, you do put your organization at risk. The bottom line is, think long and hard about how to use wireless and secure it. It can be done.KELLY: The situation's very similar. Unless you think about the security implications, you're asking for trouble. We can deploy adequate levels of security today, and security is going to get better as time goes on. The industry is working hard on it.KELLY: We're on the watch. Attacks today can be deployed with fairly elementary knowledge. In years past, launching a sophisticated attack required a sophisticated attacker. Now it's fairly easy to download various exploits and participate in distributed denial-of-service attacks without having much understanding of how the exploit tool works.In time, the threat from these attacks is going to increase because of the ease of use and the proliferation of exploits.KELLY: It's hard to pinpoint without day-to-day insight. But all organizations are going to have to pay attention to what they're trying to protect. There aren't enough hours and resources to protect everything. An organization has to prioritize what's most important.Second, you need to understand the current exposures of the asset and take steps to remediate the exposures. There's a lot of public- and private-sector activity to gain good, technical vulnerability information and to deploy vendor patches and operational workarounds for adequate, baseline security.The third piece, I would say, is active monitoring of emerging threats. Those three pieces are the fundamental components of a risk management model. Risk is a function of your assets, threats to those assets and exposure of those assets.KELLY: I would have trouble singling anyone out. There are pockets across all agencies that are doing things well and others that need to improve.The one case that comes to mind is the Health and Human Services Department. I've seen HHS and its Centers for Disease Control and Prevention thinking aggressively about risk management, about emerging threats and steps to stay ahead of them in a preventive way, as opposed to waiting to detect a threat and then remediating after the fact.KELLY: We no longer have the luxury of separating physical security, personnel security and cybersecurity. They're inextricably combined.We're seeing the traditional activists'those who engage in sit-ins and spray painting'start to coordinate their activities online. The next step in this progression is that they become cyberactivists. Then they become hacktivists, and their deeds are more malicious: denial-of-service attacks, destruction of data, theft of IT.Things that were once physical threats now seem to have a cyberdimension. Terrorists want to disrupt, degrade and destroy critical infrastructures. They don't have to blow up a dam with explosives if they can take over control of the floodgates from several thousand miles away.The consequences of those attacks are alarming. We haven't seen direct evidence of an actual attack of a critical infrastructure, but we've already witnessed some of the consequences. Look at the last year's malicious code experiences. Take, for example, Code Red. The damage estimates were in excess of $2 billion.That's a good case study where intelligence paid off for us. Clients were warned with ample time to protect their systems. If you remember back in June 2001, Microsoft Corp. released a notice about a buffer overflow vulnerability. Our intelligence analysts looked at the context. It's a fairly simple vulnerability to develop an exploit for, although there was no evidence one existed at the time.The vulnerability affected Microsoft Internet Information Server, which is deployed worldwide. Our analysts that same day said it had the potential to be a serious problem. We issued what we call a critical flash the next day. Over the course of June and early July, we issued several more intelligence reports with information about remediation possibilities and where to get patches and so forth.Around July 18, the Code Red worm was detected. By July 20, more than 250,000 servers were affected around the world.KELLY: Everything we do is focused around cybersecurity intelligence. We do have a laboratory function that does independent verification and validation of the exploits and of the vendor-recommended patches.We also respond to specific requests from clients, public and private, if they have an issue they need additional intelligence on.Post-Sept. 11, we responded to a number of special requests in areas where the government needed additional coverage. There are linguists on the staff. We can go to Russian and other foreign sites that might be difficult for others to take a look at.KELLY: No, that's more of a service offering. Ours is really a decision-support system'a fairly sophisticated knowledge management system where the clients specifically configure their intelligence needs. We develop about 20 or 25 intelligence reports per day. Those that meet the requirements of a client are pushed out to the client.It's conceivable that no two clients receive the same daily intelligence report. One client might be focused on nontechnical, geopolitical issues. At the other end of the spectrum, another individual might be interested only in technical vulnerability information for a particular operating system'Linux, for example. He can configure his intelligence feed to receive only that type of data, no more, no less.It's the decision-maker who determines what those needs are. We facilitate the decision support, provide the content and make the system easy to use. If something that meets their criterion arises during the day, we'll alert them by e-mail push, wireless devices or phone calls to the office or home. The e-mail pushes the summary of the intelligence report, and they click on that to see the full report.The key to intelligence is to understand the threat actor'the motivation, the capabilities, the types of access. By looking at a threat actor over time, you get a better understanding of their modus operandi.

What's more

Family: Wife, Cindy; daughters Jennifer, 19, Michelle, 17, and Amanda, 15

Pet: Dog, Haley

Car currently driving: Acura Legend

Last book read: Ghost Soldiers by Hampton Sides

Last movie seen: 'Black Hawk Down'

Leisure activity: Skiing

Brian Kelly, iDefense risk manager











GCN: The Defense Department is nervous about wireless devices and networks. What do you think DOD should do?





GCN: What about handheld computers and cell phones?



GCN: What do you expect in the way of widespread cyberattacks against U.S. networks?





GCN: What are government network administrators not doing that they should be doing?







GCN: Are any federal organizations doing an especially good job of risk management?





GCN: You've said you see cyberattacks and physical attacks converging. How would that happen?















GCN: Do you provide support if a client is infiltrated?







GCN: How do you approach a government job'go on site, try to break in or what?








X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.