Cisco Systems Chief Security Officer John Stewart worries most about stealthy, targeted attacks -- forget those mass-mailer Trojan horses.
Some years ago Stewart was putting out large-scale fires, responding to the latest outbreak of a computer worm or virus. With advances in security systems and changing threats, the job has morphed. These days, Stewart and his team are precision fighters, working to prevent stealthy attacks that are after corporate secrets.
Stewart heads up Cisco's global IT security team, among other security-related groups. With his staff, he secures a network used by about 50,000 people, with more than 60,000 PCs and countless other network-connected devices including 50,000 voice over Internet Protocol, or VoIP, phones.
The experiences at Cisco mirror what pundits say is the daily grind for security pros in large organisations all over the world. They face criminal organisations that look to exploit security holes for financial gain. These attackers increasingly target applications instead of operating system code.
But the single biggest threat to companies, according to Stewart, is unstructured data. He sat down with ZDNet Australia sister site CNET News.com recently to explain what keeps him up at night and what the solutions to data leaks might be.
Q: What is making you want to take a vacation?
Stewart: The world has wrapped around its head [the idea] that just because there is no news, life is good. In fact, it's ironic because in a sense it was good that threats used to be a mainstream topic. It brought attention and reminded everybody that it is a considerable issue. But now, botnets are off the charts, and low and slow is the attacker's approach. Not trying to generate massive amounts of spam, massive amounts of control chain that would be signalled, means that you've got a whole new layer of aggression.
You're talking about targeted attacks that go below the radar?
Stewart: Targeted or untargeted, but below the radars. One is just obvious, clearly aimed at one organisation. The other one is just as deadly. It is the very slow, quiet one, where the infection vector probably still is traditional, but not causing a computer to display any ill characteristics immediately. It'll go quiescent for a given period of time, it will just quietly send information out, as opposed to spiking the CPU, ripping the hard drive as fast as possible and propagating as fast as possible. That's because the intent is not to be found, the intent is to get the information, but avoid detection. Frankly, the sophistication is getting significant.
That's what the pundits say. Consumers are hit by botnets, but businesses are targeted by attacks aimed at stealing trade secrets. Is that true? Are bots not a problem at Cisco?
Stewart: We've got the same problem consumers have, but we've got signalling mechanisms that can pick up control channels faster than any consumer network can. We've also got a network that will protect us, versus the free and open Internet. Corporations have a dedicated team. We've got IT professionals.
So essentially you can deal with botnets because you're better prepared.
Stewart: Absolutely.
So, you don't have a botnet problem inside Cisco?
Stewart: That's a leap I don't want to take. It is a manageable one. If a bot picks up, typically we will see it. It doesn't mean we will never get a bot, it just means that we will pick it up fast and we will shut it off. That's different in the consumer space.
If the botnets are under control, what things are worrying you? These targeted attacks? How do you deal with those, or do you find out when it's too late?
Stewart: At the moment, I'd say that there aren't enough ways to see this type of attack. The security industry has mostly given us a number of abilities to pinpoint problems, but not a correlation between them all. If you can get collaboration between disparate types of systems, then you will see the problems faster.
What also doesn't let me sleep very well is changing targets. Operating system vendors have always been the target. They are getting better and, as a result, the attackers are going after the application space. Applications are where the data is, where it's being stored, where it's being downloaded, where it's unstructured.
Are you worried about all these zero-day flaws in Office applications?
Stewart: I worry about that. I would worry about all the other third-party software that's bundled when you buy a computer. PDF flaws, the instant-messaging worms. This is an order of magnitude more complex than dealing with operating system flaws. There is also an infrastructure side of this problem, all the Web developers that have thrown application after application on the Web storing your data.
