Count Jonathan Bingham among those who weren’t all that surprised by the reputed breach of security that may have resulted in Cisco’s guarded Internet Operating System source code being pilfered and posted on the Web.
It’s not that Bingham, a former Forrester Research analyst who is now president of Intrusic, thinks Cisco has weak network security.
He knows that Cisco, Microsoft, whose Windows source code was leaked earlier this year, and Valve Software, whose Half-Life 2 video-game code was stolen before it reached market, likely have some of the best security systems and procedures in the world. But Bingham also believes the real threat to sensitive data — what he calls the corporate jewels — comes not from brute-force hacker attacks but from much more sophisticated “insider” threats.
Bingham founded Intrusic in late 2002 with his brother Justin. The venture-backed firm’s executive team also includes Peiter “Mudge” Zatko, the @Stake founder who also has consulted with the Clinton and Bush administrations on cyber-security issues.
In an interview with the E-Commerce Times, Bingham discussed how insider threats can go undetected in even the best-guarded networks, why these types of attacks almost never make headlines and how his company aims to fill this gap in network security.
E-Commerce Times: A lot of people are asking how Cisco could have fallen victim to a successful hack that resulted in its code being stolen. Does this call its security into question?
Jonathan Bingham: Not at all. Cisco probably has the best network security on the planet. It’s a common misconception that these are smash-and-grab jobs. This probably wasn’t someone using a known exploit to gain entry to a system. That’s how unsophisticated attacks work. These are sophisticated attackers who take the time to work their way in and then establish themselves on the inside of a network. The actual event of the stealing of the code may have only taken a few seconds, but the entire episode probably took a long time.
ECT: How do hackers become insiders who are able to move around and manipulate such a secure network?
Bingham: This attack probably begins with a hack on a local ISP. ISPs have to have much more open systems than a corporation.
From there, the hacker may have gotten a list of users with VPNs (virtual private networks). A single scan could return a list of 4,000 users who fit that profile. And then he could go to work finding ones that had a secure connection to Cisco.
Now, he’s on the inside as a trusted user. He would then go about establishing residency, which he can do by connecting through Port 80 on a firewall (typically left open so a network’s users can access the Web). To a network administrator, it looks like someone is surfing online, but in reality, they’re connected to a server controlled by the hacker. That connection then enables a period of reconnaissance — getting to know the layout of the network. From there, he now has a way in and a way to get out any information available, including the corporate jewels like the code in Cisco’s case.
ECT: Why can’t most intrusion detection products detect this kind of behavior?
Bingham: The intruder is basically a trusted user as far as the network is concerned. He didn’t try to crash through the firewall. He has certain accesses and can interface with the network.
Back when I was at Forrester, the recommendation was to have managed service providers handle this internal issue as part of their security work for a company. But the problem is scale. One company reported more than a million spots in the network activity log each month that were suspicious, most of which were probably false positives.
ECT: What is Intrusic’s approach, and how is it different?
Bingham: We use what we call the physics of networks to recognize when unusual activity is taking place. Our knowledge of networks allows us to establish the same physical layout for all of them. We don’t even need a baseline of data. We could come in today and immediately tell you if there was suspicious activity.
Right now, Cisco’s big problem — aside from the egg on their face — is that they don’t know how much of their network was compromised. It’s like coming home and knowing a burglar was in your house, but you can’t be sure what they did or what else they might have taken. They’re going to have to spend a lot of time and money combing every inch of their systems. That’s not a small job. We would be able to tell them immediately where the intruder had likely been and what they did while they were in there.
ECT: Is this something all companies need or only those with sensitive corporate information or intellectual property?
Bingham: Every company has something it wants to protect. For a tech company, it’s intellectual property. In financial services, it’s personal and financial data. In healthcare, it’s private information that’s protected by regulation. We worked with a security consultant who told us about an incident at a hospital. Someone went in and changed 100 lab results, swapping positive and negative results in cancer patients. Some patients were actually starting chemotherapy based in part on that information.
There are sick people out there, and there’s no telling what they might do. Certainly, when a company touts its security, as Cisco did with its unbreakable networks campaign, that’s like waving a flag to invite hackers.
ECT: It seems like brute-force attacks on networks get a lot of attention, but these insider incidents largely fly under the radar.
Bingham: People only report them when they have to. In Cisco’s case, the code was possibly posted on the Web, so they were forced to acknowledge it may have happened. They couldn’t ignore it. It’s a huge public-relations nightmare for a company. A while back, Egghead.com had to come out and tell everybody that its database of credit card numbers was compromised. But it couldn’t determine to what extent. It had to admit it might be millions of numbers, even though in the end it turned out to be just a couple of thousand. Otherwise, if people don’t have to report these breaches, they’re not going to.