Adjunct Professor of Computer and Information Sciences Anthony J. Ferrante, FCRH ’01, GSAS ’04, will be a faculty instructor in Fordham’s new M.S. in Cybersecurity program. He conducted this interview with Kevin Mandia, then-CEO of Mandiant Corporation—which made headlines last year when it rooted out Chinese hackers for the New York Times. Ferrante questioned Mandia following the International Conference on Cyber Security (ICCS) held at Fordham Aug. 3–8, 2013, where Mandia appeared as a distinguished speaker.
What do you consider the next cyberthreat on the horizon?
There will always be dedicated attackers with ideological differences determined enough to find ways to exploit human vulnerabilities. These attackers are difficult to identify; for this, and a number of other reasons, there is often little risk of response to these attacks or repercussion to the attackers. As cyberspace continues to become a more effective platform for actors to conduct their operations–whether it is to steal data, steal money, make a statement, or destroy networks or data—we believe more diverse types of actors will flock to the cybermedium.
The Internet allows those without extensive financial means to cause significant problems. The Syrian Electric Army (SEA) proved this with the DNS redirection of the New York Times website domain name. How can we defend from future incidents like this?
From a tactical perspective, malicious actors will sometimes use the most basic methods such as social engineering, exploiting weak passwords, and password re-use to conduct their attacks. You can educate users not to click on suspicious links or open spam emails, but this is not foolproof. Certain groups cause real disruption with limited resources; this is especially true with ideologically motivated actors. One way we can prepare is to keep an eye on which threat groups are active and who their targets tend to be. If you know you are in a targeted group, you can prepare.
How can everyday citizens who may not be so technologically savvy protect themselves?
Be aware of the websites you visit; secure website connections start with “https” and have a key or closed padlock in the status bar which will show the security certificate for the site when clicked. If the name to which the certificate is issued and the name of the site do not match, the site may not be legitimate.
Think before downloading; malicious software is often loaded onto computers via seemingly benign applications and attachments.
Change passwords regularly and use a different one for each account requiring a log-on.
Use caution using public wireless connections; many public wireless networks in airports, hotels or restaurants reduce their security to make them easier to access and use.
Always click on the “log out” button and do not set browsers to save usernames or passwords.
Do you think we should hold private companies to a higher standard given the potential harm their computer networks can cause?
Rather than create one set of standards for private companies and one for government, both sides should aim to establish a system where law enforcement and the private sector share and proactively use accurate and timely threat information from which both sides, and by extension the general public, could benefit.
Would you endorse cybersecurity standards being regulated by the U.S. government?
Cyberthreats will evolve faster than our ability to regulate against them. As a nation we would be better served by creating a system in which cyber threat information is shared in a standard, codified, machine-readable way that does not diminish our national security or law enforcement missions, or our privacy and civil rights.
Do you worry about malware causing destruction, especially those computer networks used to maintain critical infrastructure such as transportation?
Even though we have not directly observed a state or non-state actor destroy or degrade a network (or even publicly demonstrate that they possess such capability), we know that certain threat actors harbor that intent. The capability to destroy a network is not substantially different from the capability to penetrate a victim’s environment in order to steal files. Just because we have not seen it happen does not mean that actors are not planning on doing so should the right circumstances arise.
Many companies look at a cyberattack from a post-incident lens (known flaw caused compromise that should be mitigated). How important is it to consider the totality of the circumstances—learn as much as you can about your adversary, their tools, techniques, and protocols (TTPs)?
Cybersecurity is not just a technical issue; it is a policy problem, it has economic effects, it has business impact, and it can touch on international relations and diplomacy. Moving towards solutions requires a lot of different ways of thinking about a problem.
Be flexible and nimble in your thinking—technologies change fast, you need to adapt, and you need to be able to consume and prioritize a lot of information at once.