SANTA BARBARA, Calif. The next time you find a USB memory stick in a parking lot or outside your house, think twice before plugging it in: It could cost you your intellectual property or personal identity.
That was the startling alert put out by Adriel Desautels, chief technology officer at anti-hacking specialist firm NetraGard at the annual Green Hills Software Technology Summit here.
Security is a major theme of the summit, coming as it does on the heels of the announcement last month that Green Hills' Integrity OS got the world's highest security certification, having reached EAL6+. That security certification could not come at a better time, given the rising incidence of malicious attacks on government and corporate networks, according to Dan O'Dowd, Green Hills' chief executive officer.
Trying not to be too alarmist, while still ringing the bell, O'Dowd used his opening discussion at the conference to list a series of recent attacks, from the shutting down of Estonia's government, the infiltration of the White House's network, and attacks on the Dept. of Defense's networks, to the hacking of president elect Obama's cellphone records and passport files.
"This is just the tip of the iceberg," he said, pointing out that for $25,000 a dedicated, professional hacker can be hired in Russia or China, with zero chance of that hacker being traced.
While Integrity can easily secure against many of the 'attack vectors' Desautels described in his discussion, such as email, web sites, bot nets, anti-virus flaws, and externally facing network services, physical attacks such as the USB stick as well as 'social engineering' attacks can be particularly hard to prevent.
In the USB ruse, a cookie or malicious executable is transferred from the stick to the host system and then removed from the stick before any trace of it is detected by the user. It is one of Desautels' favorite methods for breaking into a client's network to evaluate their security system. In social engineering, he applies psychology to extract sensitive information from employees that will allow him to get ready access to the network.
While these two techniques are favorites for Desautels, they're also favorites for dedicated hackers intent on penetrating a network and may seem to stand a good chance of circumventing the safeguards set up by Integrity.
Not so, according to Michael Liako, senior vice president of Integrity Global Security, a newly formed company set up to bring the OS to enterprise and government networks.
According to Liako, Integrity can quickly detect intruders and mitigate any damage they may cause. Also, in the case of highly secure data, he pointed to the common use of two or three people to provide authorized access, thereby reducing the impact of one single person's foibles.
Pushing the security string
Though the threats cyber attacks and cyber terrorism loom large, according to Mauricio Sanchez, chief security architect for Hewlett-Packard's ProCurve Networking group, companies are still reluctant to put hard money on the table to ensure security. This may make the sale and deployment of Integrity, especially in an economic downturn, somewhat akin to pushing a string.
Liako acknowledged the conundrum, but took pains to underscore the costs of not ensuring adequate security. In addition, he pointed to the large sums companies are paying in security insurance. His plan of attack for 2009 is to talk to insurance companies and possibly get a discount for companies that use Integrity. "That will clearly benefit their bottom line," he said.