Business cyberthreats require continuous security updates
The cloud has defeated the “blue screen of death,” but companies are constantly taxed with updating security software and finding new ways to combat cyberthreats.
A group of technology professionals discussed the threats they face and how they avoid them at a recent roundtable discussion hosted by The Daily Transcript.
“The key is that when you think about cybersecurity, the number of threats and the threat vectors are increasing significantly from all directions,” said Tim Caulfield, CEO of American Internet Services, which sponsored the roundtable.
The biggest attack is exfiltration of data, said Jerry Goodwin, vice president of network systems at ViaSat (Nasdaq: VSAT).
“It shifted maybe three or four years ago. Instead of someone coming in and messing around — what used to happen is your computer would break, it would ‘blue screen’ and you would go, ‘Oh, I just got a virus.’ This almost never happens now,” Goodwin said.
Instead, suddenly there’s data streaming out to an unknown address. These spearfishing attacks tend to happen when someone clicks on something they shouldn’t and it opens a port and path to push data out, which Goodwin said he thinks is the most common threat now.
“One of the big trends that’s happened is the loss of data — the blue screens don’t happen anymore,” said Tom Tuchscher, director of information technology infrastructure, systems and operations at National University.
“The loss of data is becoming much less of an issue,” he said. “It’s so easy to replicate data many times over and the storage is so inexpensive, so you lose a system and you just bring up another one and it’s still there.”
For Mark McWilliams, the CEO of Medipacs Inc., security can be a life or death situation. Medipacs is developing a “revolutionary drug delivery system” that uses a wearable infusion pump to deliver drugs to a patient.
Fritz Hesse, vice president of operations for Mitek Systems (Nasdaq: MITK), said customers are asking companies to be proactive and not reactive. But the catalyst for change is often a catastrophe. McWilliams described an insulin pump that was hacked.
“Insulin pumps deliver a drug that can kill you in minutes. So what happens if the data channel gets breached, and someone is sitting across the room with a device that can command your pump to dump a dose and it could kill you?” McWilliams said.
“It took a catastrophe,” he said. “It took people breaking into these systems and demonstrating how easy it was for people to even start thinking about it. … It clearly shows no one was even thinking about that in the design process. That’s remarkable.”
The design process should include the consideration of all of the hazards and threat vectors, McWilliams said. It’s difficult to do security effectively afterwards and that’s part of the problem, Goodwin said.
“With a medical device, it’s a company killer if you don’t get it right the first time, because you won’t have a second chance. It’ll cost too much to go back through the [Food and Drug Administration],” McWilliams said.
David Gell, chief technology officer at Cygnus Broadband, said the cybersecurity and threat competition is like a game of cat and mouse.
“There has been and probably always will be a cat-and-mouse-type game between the attackers and those trying to protect their information and systems,” Gell said.
“Technology grows increasingly more complex — we’re all part of that,” Gell said. “How are we able to continue to secure those? Are we bringing the security technology along with the advances in performances and costs and fun factor and whatever else we’re bringing? Is security coming along at the same pace? It’s not entirely clear that it always is.”
Often designers focus on the feature set they want to deliver and not the things they want to prevent from happening, McWilliams said.
“You learn a lot from failure. So as you fail, you get better at anticipating and figuring out what you need to do,” Goodwin said.
Goodwin said there has to be balance because a network can be locked down so no one can get in, but then nothing can be done. The cloud is a shift in how people are buying technology, and the infrastructure still has to exist, Caulfield said.
One client works with first-run movies, which are stored in Caulfield’s data center before release. That client is concerned with physical security, so the data center has double entry and is locked down. The client also is concerned with logical security — what the firewalls look like, Caulfield said. Other clients choose flexibility over more protection.
The range of threats still includes a hacker who’s trying to get in for frivolous reasons, and Caulfield said there are threats from people who are not necessarily trying to do damage but are just seeing if they can get in and what information is available.
“Every company’s IP is important. If that can be privately exported without you ever knowing it, your pocket is being picked,” Caulfield said.
He mentioned a meeting with the chief information officer of a defense contractor. “They are under constant daily attack. … People are putting code on his system that wakes up weeks, months, years in the future to do things. It’s a sitting time bomb. They have to work at protecting all of that information. … In his mind, he’s fighting a war on a daily basis against people who are trying to get into his systems.”
As companies move to mobile applications and cloud-based applications, Hesse said the investment in information security is that much more important.
“You have to hire a head of information security as a full-time role. And we’re a small company, and most small companies just have to put that additional dollar in. If they don’t, the risk is so great. It’s all about risk management and that’s the cost of doing business now,” Hesse said.
Mitek Systems specializes in mobile imaging through photo capture, including depositing a check through a smartphone. Its customers need to trust that the application is well protected, and Hesse said the company puts a lot of focus on protecting the technology, business, shareholders, customers and customers’ customers.
Magda Remillard, director of operations at Arynga Inc., faces a similar challenge in protecting her company’s technology, which developed a way to update and upgrade a vehicle’s “infotainment” unit and individual electronic control units that manage different operations of the vehicle.
“So what we’re able to do is resume and restart these downloads, and roll them back totally seamlessly, totally secure so there’s no interruption of service,” Remillard said. “And of course it’s secure so no one can hack into your car. If your phone is hacked [you think], ‘Oh well, too bad, get a new phone.’ But with your car, you’re a little more sensitive about that.”
Reid Carr, president of Red Door Interactive, said it’s important to understand “what you have that other people want.”
The threats also create opportunities for entrepreneurs to create something new that goes beyond the security of today, Caulfield said. He and Carr are on the board of CyberHive, a technology incubator to help these kinds of companies to get off the ground and get funding.
Despite the challenges, the group said the benefits outweigh the constant effort.
“The alternative is to lock down everything and have no business,” Goodwin said.
Reid Carr, President, Red Door Interactive
Tim Caulfield, CEO, American Internet Services (sponsor)
David Gell, Chief Technology Officer, Cygnus Broadband
Jerry Goodwin, Vice President of Networks Systems, ViaSat
Fritz Hesse, Vice President of Operations, Mitek Systems
Mark McWilliams, CEO, Medipacs Inc.
Magda Remillard, Director of Operations, Arynga Inc.
Tom Tuchscher, Director of IT Infrastructure, Systems & Operations, National University