PayPal CISO: DDoS one big security threat among many

Stung by a high-profile denial-of-service attack in December, PayPal's CISO says application layer attacks remain a major threat to businesses in general, which need better defenses and actual testing of the DDoS tools they have.

"We need better planning as an industry," says Michael Barrett, the CISO of PayPal, whose blog site was knocked offline late last year by the political hacking group Anonymous.

IN DEPTH: Has progress been made in fighting DDoS attacks?

During a recent interview with Network World about his major security concerns and priorities for 2011, Barrett also listed advanced persistent threats (APT) as a major worry and the need for legislation to improve Internet security. In addition, he says that the payment card industry (PCI) standards for protecting credit card information need some tweaking to give businesses more flexibility without hurting security.

But as for DDoS attacks, businesses need to plan defenses and confirm how well they will handle real attacks to live networks, Barrett says, because tests in simulated environments don't scale large enough to adequately stress the defenses.

Another problem is that testing the actual network gets in the way of doing business. "We have to do more testing, but we haven't figured out how," Barrett says. "You can't shut off the Internet for a significant length of time."

As for APTs, Barrett says they pose two big problems: how to detect them since they are typically hard to find with signature-based tools, and what to do about them when they are found. APT code is designed to burrow into networks and resist eradication so even if one instance is discovered and cleaned, others remain to carry out malicious activity, he says.

A piece of malware found on a PC, for example, could be a simple virus infecting one machine or it could be the sign of something more sinister trying to steal intellectual property or customer records. An APT sent by a determined adversary likely means there is also a backdoor to let in more malware, he says.

"If you react to one backdoor at a time, you wind up playing a game of whack-a-mole," he says. Plus taking down just one instance of an APT and leaving the rest may tip off the attacker that it's time to enter the next phase of the attack, he says. Honey pots can help determine the nature of discovered threats and whether they represent random infections or sophisticated targeted attacks, Barrett says.

One piece of the solution is better network-based detection tools to augment e-mail, Web proxies, antivirus and anti-malware applications. These additional detection tools should seek anomalous behaviors networkwide so corrupted machines can be found and cleaned all at once to eradicate the APT, he says.

The true size of APT infection is difficult to know because it is so stealthy. "Many CISOs have been operating on the assumption that since they didn't know of anything, there wasn't anything," Barrett says.

On the matter of PCI standards, he feels that businesses need more flexibility in implementing security measures that guard against identified threats. The standards which have been criticized for driving the bulk of security spending for those companies that must comply with them, could use some refinement, he says.

Overall they address important concerns and impose security measures that can only benefit network security, he says. "I simply do not believe that these absolute minimum thresholds will force you to do things you shouldn't be doing already anyway," he says.

But the standards are vague in some areas and others are too specific, he says. For example, under the regulations certain traffic requires stateful packet-inspection firewalls. "What if you used another technology that was the equivalent? Then you'd get in an argument with your QSA [qualified security auditor required by PCI]," he says. "PCI should be more risk-based with more options and less that is proscriptive -- it's both too proscriptive and too vague at the same time."

2011 is a good time for security professionals to help shape needed Internet-security laws, Barrett says. "Technology is not legislators' strong point," he says. "The industry needs to spend some time educating Congress and its staff on issues to ensure what they do makes computing and the Internet safer and not less safe. They need to avoid the law of unintended consequences."

The top issue they should address is enforcement of cybercrime laws. Theft of $10,000 worth of goods online using fraudulent credit cards is unlikely to attract an aggressive prosecution, even if prosecutors knew who did it. The same theft from a brick-and-mortar retail store would attract an aggressive investigation, he says. "It's not lack of interest. It's that prior cases have been based on financial loss. $10,000 is not enough." In prosecuting real-world vs. online crime, there should be no significant difference, Barrett says.

Barrett says the industry should also support creation of a presidential commission to study cybercrime and find out how much is really lost directly or indirectly to cybercrime. He says he's heard estimates ranging from $2 billion to $26 billion in the U.K. alone, and estimates as high as $2 trillion worldwide.

Along with that, the commission should assess how seriously other nations treat cybercrime. For example, he says many people say Russia doesn't investigate cybercrime because of corruption, but that isn't always true. "There may be problems, but it does prosecute and sometimes punishes," he says. The goal should be to figure out how to encourage more reliable prosecutions. "Like terrorism, we need to study other governments and see how seriously they'll treat it."

The Convention on Cybercrime, an international treaty signed by the European Union and the U.S., sets encourages international cooperation in prosecuting cybercrime and setting up appropriate laws to do so. Signed in 2006, it doesn't yet have the teeth to be effective, Barrett says. "The mechanisms are 19th century," he says. "I've never seen a cyber investigator who asked for help [from another country] and got it in less than six months. The bureaucracy needs to be fixed."

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cybercrimeinternetlegale-commercepaypal

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?