Interview: Chris Camejo, Director of Assessment Services for NTT Com Security
Chris Camejo, Director of Assessment Services for NTT Com Security (formerly Integralis), comes from a technical assessment background, having personally coordinated and conducted numerous large-scale, multi-discipline penetration tests spanning multiple countries for global clients.
As part of NTT Com Security's threat intelligence capabilities, he follows the latest tactics and techniques of attackers and have conducted presentations on this topic at Computerworld Security Summit and with the United States Secret Service San Francisco Electronic Crimes Task Force; have assisted in research for a presentation at Black Hat Briefings. Chris has been working with NTT Com Security since 2001.
1. What specific duties do you perform as director of assessment services for NTT Com Security?
I don't get to "get my hands dirty" in the field hacking into networks much anymore, but I provide a degree of strategic oversight to the teams conducting vulnerability assessment, penetration testing, compliance assessments, and risk assessments. I will also still get involved in the delivery of key penetration testing and PCI compliance projects to make sure we are addressing the client's needs in light of the threats they face.
Beyond that, I spend most of my time talking to our clients about their security needs in order to help them understand the threats they face and what they can do about them. Sometimes this involves recommending certain services or scoping out technologies to address specific security gaps while in other cases we help them tighten up their policies and processes to make more effective use of what they already have.
As part of all that I have to stay on top of the latest threats, I start off every morning by checking news feeds and mailing lists to find out what new vulnerabilities have been discovered, who has been breached, and how it happened. When something important comes up I will send this information around within NTT Com Security so our sales staff knows what issues they should make their clients aware of and so our consultants can help their clients address those threats.
I also conduct webinars, write articles, and present at security conferences where my topic usually involves breaking down the sometimes incredibly technical details of vulnerabilities and breaches into something more suitable for the executives and managers who have to deal with security but don't live and breathe it every day. I figure that helping educate the decision-makers about the threats that they would otherwise be oblivious to is my little contribution to make the Internet a bit safer than it would otherwise be.
2. You have personally had a hand in organizing and running a number of large-scale penetration tests spanning multiple countries for global clients. Considering the cyber security threats that seem to be lurking around every corner, would you say that companies are more or less aware of the threats they face?
General awareness that there are threats is definitely increasing thanks to the recent high profile retail breaches, but unfortunately most organizations still don't have an understanding of who the threat actors are, what their motivations are, and how they operate. This can lead to organizations having major blind spots in their information security programs.
Most people outside the security industry think of breaches in terms of stolen credit cards or social security numbers that are useful for financial fraud. There is also a growing awareness of the value of health records that can be used for insurance fraud. While these types of breaches do grab headlines because of their impact on the average consumer, they only represent a small subset of the actual threats and breaches.
There is an enormous undercurrent of breaches that target intellectual property, business plans, and other data that can be valuable in a corporate espionage context.
There are also attackers, who are often linked to unfriendly nations, targeting critical infrastructure systems, presumably gaining access that would be useful for causing sabotage during any future conflicts. These breaches often go unnoticed or are swept under the rug and as a result these types of threats aren't on the radar of most organizations. I still commonly hear potential clients say things like "we don't have any credit cards that anybody would want to steal" as an excuse for ignoring basic information security practices.
3. How, if at all, have the types of cyber attacks changed or evolved since you started working at NTT Com Security in 2001?
Security was much simpler 10-15 years ago. A solid information security program mostly consisted of installing anti-virus, consistently patching servers, and firewalling off anything that didn't need to be exposed to the Internet so that hackers and "worms" like Code Red and Nimda couldn't exploit them.
These types of attacks are still with us but they have evolved: rather than simple "worm" type viruses that exploit unpatched server vulnerabilities that had been known for months or years, we are seeing custom viruses that can evade anti-virus detection and exploit previously unknown zero-day vulnerabilities for which no patch is yet available. These viruses often target workstations and their gullible users though phishing, drive-by downloads, and vulnerabilities in browser plug-ins.
We also see many more attacks on custom application code as techniques like SQL Injection, Cross-Site Scripting, and Cross-Site Request Forgery have become well known. Unlike off-the-shelf commercial software, custom code requires a company have their own QA team to find vulnerabilities and developers to create a patch to address a security issue. In many cases, custom application code was written before modern application attack techniques were well known and the resulting vulnerable code is no longer maintained. These applications are ripe targets for attackers.
We've also seen malicious social engineering attacks become much more common. Phishing attacks attempting to spread malware or trick users into revealing credentials are very common, while spear phishing emails and telephone calls under false pretexts are used to gather information from high-value individuals. Even physical infiltration of facilities is a realistic threat. None of these techniques are new, hackers were certainly going on dumpster diving expeditions and making calls under false pretexts to gather interesting information decades ago, but while these techniques used to be a tool to satisfy a hacker's curiosity they are now a weapon used for fraud.
4. What advice would you give a client that wants to build a corporate culture that includes cyber security awareness?
The single best piece of advice I can offer is to expand security awareness training programs to include the reasons why we ask employees to follow certain security steps. To pick one common example that everyone likes to complain about: password complexity and change requirements. Everyone knows they have to make long passwords and change them regularly, everyone complains about it, and most don't know why we make them do it. A simple demonstration of how passwords get stolen and cracked could go a long way towards winning the "hearts and minds" of the non-technical folks whose jobs are made a little more difficult every day as a result of decrees from security. This extends to the other topics we deal with regularly in security as well, from system configuration through software development techniques.
5. What mistakes do businesses sometimes make that leave them open to cyberattacks, and what steps are needed to address these deficiencies?
Most organizations see security as an exercise in keeping the bad guys out of their network and focus most, if not all, of their security attention there. Firewalls, intrusion prevention systems, anti-virus, and patching programs are all primarily used to guard the perimeter and keep the bad guys out.
What this approach overlooks is that it's nearly impossible to stop all breaches, even with the most sophisticated perimeter security systems. Eventually someone will fall for a phishing email, or make a coding error in the application they're developing, or leave a system with a zero-day vulnerability exposed to the Internet. In light of this, a solid network defense needs to include the capability to detect a breach in its early stages and put a stop to it before sensitive data can be stolen or serious damage caused. Someone must be monitoring network traffic and logs for suspicious activity within the network and sensitive data leaving the network in order for any security measures to be effective.
Perimeter security technologies like firewalls and IPS can also be useful in a detection context. Many organizations have what we call a "flat network", where all of the security infrastructure is located at the perimeter and all of the systems inside the perimeter can freely communicate without any real security controls. Segmenting a network by creating internal security perimeters with restrictive firewalls provides the ability to isolate systems that hold sensitive data away from the workstations and Internet-facing servers that are often the first targets in an attack. While it may not be foolproof, it can slow an attacker down and provide more opportunity for detection.
6. Are there potential threats that, while not necessarily on the radar in a major way right now, could in the near future become a major source of pain? Please explain.
Some of the most significant threats to information security capabilities that we will see over the next few years are legal, rather than technical in nature. The Snowden leaks, the Mandiant report on APT 1, recent high profile breaches, and the existence of what has become known as the Great Firewall of China all show us how governments (democratic and otherwise) see the Internet as a convenient tool to spy on each other, keep tabs on foreign companies, and monitor their own citizens.
The government agencies from around the world who are involved in this battle all seem to be playing offense, stockpiling previously unknown vulnerabilities that they can use to exploit their targets, without paying much attention to defense, providing vulnerability information to software developers so that patches can be released and their own systems and domestic companies can be better protected. The likely explanation for this is that governments and companies all over the world tend to use the same commercial and open source software: any security patch may increase domestic security but will also have the side effect of making it that much more difficult for spy agencies to break into foreign targets that use the same software.
In the aftermath of the Snowden leaks, we saw a flurry of activity from Apple, Google, and other software vendors attempting to increase the security of their products, often via the expanded use of strong encryption, to help increase privacy in the face of widespread domestic surveillance. It didn't take long for politicians and government agencies around the world to protest these moves, offering grim predictions about children dying because of law enforcement's inability to break into people's phones and calling for law enforcement backdoors to bypass privacy controls.
The unfortunate reality is that any backdoors will weaken the overall security of a piece of software, not just for those government officials for whom they're intended but also for hackers who will undoubtedly find and reverse-engineer them for their own benefit. It wasn't that long ago that the U.S. had blanket restrictions on the export of strong encryption, where "export" could simply mean uploading software to the Internet from where it could be downloaded into another country. A return to these sorts of restrictions would be disastrous for companies operating in countries that don't have any qualms about conducting corporate espionage on a foreign business within their jurisdiction.
The other side effect of the "offense only" mentality that seems to pervade government agencies is that many software security patches are the result of efforts by independent researchers using publicly available tools to find and report vulnerabilities. If the ability to conduct independent research is curtailed, then we can expect our ability to defend networks to degrade accordingly as vulnerabilities are increasingly discovered first by those with a vested interest in exploiting them rather than fixing them. We are already seeing this with the Wassenaar Arrangement, an international arms control treaty that, in the opinion of some, prohibits the dissemination of the types of tools used and produced by independent security researchers.
7. Despite the many reports of successful cyberattacks, it appears as though some companies have a hard time getting the message. What are some of the negative consequences that can emerge if companies fail to take cyber security seriously?
The consequences of a breach will vary wildly depending on the size of the company and what they have to protect. Large retail payment card breaches are an obvious high profile example where we've seen cost estimates in the hundreds of millions of dollars and the departure of C-level executives in the aftermath. While Target and Home Depot aren't likely to go out of business as a result of their breaches, small startup companies who barely have any assets beyond their intellectual property can quickly find themselves bankrupt if someone steals their R&D in order to beat them to market or undercut their prices.
There are a wide variety of potential consequences in between these two extremes, but in most cases they come down to the cost of cleaning up after a breach and then either paying the fines resulting from lost personal data, suffering through the lost revenues as an unscrupulous competitor picks up more market share, or losing out on an acquisition because a competitor peeked at all the bids.
The growing numbers of Internet-connected devices that interact with the physical world presents an entirely new array of risks. We are seeing more of this as a new generation of medical devices are brought online to give doctors and nurses remote monitoring and control capabilities, as automobiles gain connected functionality while relying increasingly on "drive by wire" controls, and as legacy industrial control systems (often with minimal and outdated security) that control power plants, water systems, and other infrastructure are connected to the Internet. These types of systems present the real and immediate risk of injury or death as a result of unauthorized tampering and warrant extra security attention.
8. Some companies believe that they can cover all the bases on the cyber-security front in-house. What are the advantages of working with a service provider such as NTT Com Security versus doing everything in-house?
The security field is evolving very rapidly. New vulnerabilities are discovered every day, attackers regularly developing new techniques for exploiting system, and new technologies are constantly being developed to address those threats. Staying up-to-date on security in spite of the firehose of information is a full-time job. I often run into developers who think they are writing secure code or QA teams who think they can detect vulnerabilities, but it turns out that they are not, simply because their primary focus is writing and checking code rather than staying on top of the latest attack techniques and how to prevent them. Large companies can afford to have a dedicated security team to follow the latest security threats and penetration testing team to check for them, but for many this is a luxury they can't afford. Utilizing a service provider who specializes in security is a way to leverage this sort of deep security knowledge without having to pay for a full-time in-house security team.
Another issue with the tactical realities of security defense is that is has to be conducted 24x7. Hackers realize that most organizations won't have staff monitoring networks on nights, weekends, and holidays and may choose these times to exfiltrate data or perform other "noisy" activities with the knowledge that even if they are detected eventually it will be too late for them to be stopped. Again, large organizations can afford a dedicated security operations center monitoring their network day and night, but for most companies this will be cost-prohibitive. Utilizing managed service providers is a sort of force multiplier, allowing for frontline monitoring at a lower cost and easing the load on in-house resources.
9. What brings you the most enjoyment in terms of your job at NTT Com Security, and what is the greatest source of frustration?
The best part about this job is that it's always changing. The type of work we are doing today is completely different from what we were doing 14 years ago when I started. Back then a simple defensive approach was sufficient for the most part, so security revolved around putting a firewall in place and making sure it was locked down. At that time the whole field of vulnerability assessment and penetration testing was something rarely considered outside of government and military circles while it is now a commonplace security technique. The idea of PCI compliance or just about any other data security standard was also still far out on the horizon. The Internet was growing fast and everyone was just left to their own devices when it came to security with many not bothering at all, that's probably at least part of the reason why things are such a mess today.
On the frustration side, we still regularly run into companies who just don't bother implementing appropriate security controls. They either see it as too expensive, especially when it comes to monitoring for attacks, or as too inconvenient for their users, who would lose the ability to access anything, anytime, from anywhere with the same simple password they've been using since they were hired. We often see this when it comes to compliance projects: some companies just want sweep as much as they can under the rug so they can "check the box" and claim compliance even though their security may really be a total shambles. We try to avoid these types of projects and all too often we end up revisiting those companies after they've been breached when they typically end up spending more to clean up the mess than it would have cost them to put in the appropriate controls to prevent the incident.
10. What sort of activities or hobbies do you enjoy away from work, and how important is it to you to pursue other interests?
For most of the past four years I haven't really had a fixed address, spending my summers on a sailboat between New York and Boston and my winters on a motorcycle in the Southwest. Getting away from work for me usually involves going further out into the wilderness where computers and cellphones don't belong; depending on the climate and season I'll be hiking, camping, canoeing, skiing, or rock climbing.
What should you learn next?
Depending on how you look at it, one of the drawbacks or benefits of the consulting life is a lot of travel. When I'm on the road visiting a client I will usually bring my backpacking gear with me and try to squeeze in a few days off for a side trip to a nearby national park. I know a lot of people who get burned out by the frequent travel, but I'm usually looking forward to it because I know I'll get to go out and have some fun once the meetings are over. I think the ability to have that escape is a key reason why I've been able to stick with the consultant lifestyle for so long.