Security Q&A: Howard Schmidt on Meeting Today’s Challenges

Howard Schmidt is one of the foremost computer security experts in the country. In addition to being the former chief security officer at both eBay and Microsoft, Schmidt was a former special adviser to the White House for cyberspace security.

He recently spoke with Baseline editor-in-chief John McCormick on what he saw as the biggest computer security challenges today, and offered advice on how chief information and chief security officers could meet these threats.

Q: What’s the most worrisome security threat right now?

A: The security threats we’re seeing now [stem from] the fact that the new enterprise is all of us. Because we now have broadband to our homes, and because we have greater capabilities off the worksite than we’ve ever have before—be it a hotel or wherever it is. So now, we have data that resides basically everywhere.

How to control the data outside the perimeter is probably the biggest thing I worry about now.

Q: When you look at the number of mobile devices that have been lost by workers over the past year—the Veterans Administration being one of the more notable examples—the problem doesn’t seem to be lessening. What can be done?

A: Use of encryption [must] be mandatory. It’s not an option.

There is good technology out there now. There are processes that have been identified—to be able do key recovery [the ability to unlock encrypted messages] if something should happen to an employee. I think the biggest thing people can start looking at is deploying encryption as part of standard day-to-day operations.

Q: Besides encryption, what other steps should CIOs and CSOs be taking?

A: The other thing is around this whole area of data leakage. We’re seeing employees having data on [systems]—whether it’s corporate systems or personal systems or home systems—in which peer-to-peer technologies are also used. They don’t fully realize that they’re [often] inadvertently sharing their data over peer-to-peer networks with literally millions of people worldwide.

Q: How?

A: One, the data is being shared accidentally.

The second thing is there are actually people out there on the peer-to-peer networks looking to acquire that data, using search terms—passwords, bank account statements, those sort of things.

The third thing is [we’re] even reaching the point where bad guys are doing data aggregation. They are setting up servers—”data concentrators” is probably a better [term]—where if you want to know where all the peer-to-peer files are out there around [say,] bank accounts, you can log in to this one server and get it.

And what happens is that a lot of companies aren’t aware of that. And when they do become aware of it, they sort of think, OK, so a sensitive document has leaked out, let’s go get it back. You don’t get anything back off the Internet. It’s there forever.

And another thing is that [it’s not just that] an occasional document slips out once in a while. Oftentimes, it’s a systemic thing because people will put the data on these machines, and it get shared out and people search for it.

Read Deborah Gage’s blog entry on Schmidt’s recommendations for U.S. cybersecurity

Q: What can be done to stop data leakage?

A: You have to monitor all the environments. What often gets overlooked is monitoring the peer-to-peer networks—and reacting accordingly. One of the documents I see oftentimes is [when] somebody puts together a [list of] their IP addresses, user IDs and passwords just so they can use it later on. Well, that gets shared out.

Number one, you shouldn’t be doing it. Secondly, if it’s out there and you find out it’s out there, you want to change that information so bad guys can’t exploit it.

Q: What about hackers and viruses?

A: They will continue to be an issue.

Large enterprises, of course, [have] been doing some pretty good investments. Building the capabilities internally to better fight viruses and worms and Trojans, and to do a better job about patching—where it’s been built into the day-to-day business process.

The problem we have with small and medium enterprises that are business partners with the larger [enterprises], or joint venture partners, is that they wind up becoming a gateway. You know the old adage about the weakest link in the chain. And that’s what happens.

[Large enterprises often] depend on supply chain partners that don’t have the resources, don’t have the experience, to put in robust security controls. So, [the partners’] systems become affected by a Trojan or a worm, which then affects their ability to supply goods and services to the bigger companies.

Q: What are the steps companies can take to prevent that from happening?

A: Clearly, have a plan.

Until such time that we get software code that has fewer vulnerabilities, we’re going to have to deal with the identification of a vulnerability, patching it, and then dealing with the exploits that result from this. Consequently, if you have a plan on how to do that—including a backup and recovery, or business continuity, plan—when one of those things does happen, [you can] minimize down[time].

NEXT PAGE: Hackers Hit the App Stack