FRAMINGHAM, 1 MARCH 2011 - Stung by a high-profile denial-of-service attack in December, PayPal's CISO says application layer attacks remain a major threat to businesses in general, which need better defenses and actual testing of the DDoS tools they have.
"We need better planning as an industry," says Michael Barrett, the CISO of PayPal, whose blog site was knocked offline late last year by the political hacking group Anonymous.
During a recent interview with Network World about his major security concerns and priorities for 2011, Barrett also listed advanced persistent threats (APT) as a major worry and the need for legislation to improve Internet security. In addition, he says that the payment card industry (PCI) standards for protecting credit card information need some tweaking to give businesses more flexibility without hurting security.
But as for DDoS attacks, businesses need to plan defenses and confirm how well they will handle real attacks to live networks, Barrett says, because tests in simulated environments don't scale large enough to adequately stress the defenses.
Another problem is that testing the actual network gets in the way of doing business. "We have to do more testing, but we haven't figured out how," Barrett says. "You can't shut off the Internet for a significant length of time."
As for APTs, Barrett says they pose two big problems: how to detect them since they are typically hard to find with signature-based tools, and what to do about them when they are found. APT code is designed to burrow into networks and resist eradication so even if one instance is discovered and cleaned, others remain to carry out malicious activity, he says.
A piece of malware found on a PC, for example, could be a simple virus infecting one machine or it could be the sign of something more sinister trying to steal intellectual property or customer records. An APT sent by a determined adversary likely means there is also a backdoor to let in more malware, he says.
"If you react to one backdoor at a time, you wind up playing a game of whack-a-mole," he says. Plus taking down just one instance of an APT and leaving the rest may tip off the attacker that it's time to enter the next phase of the attack, he says. Honey pots can help determine the nature of discovered threats and whether they represent random infections or sophisticated targeted attacks, Barrett says.
One piece of the solution is better network-based detection tools to augment e-mail, Web proxies, antivirus and anti-malware applications. These additional detection tools should seek anomalous behaviors networkwide so corrupted machines can be found and cleaned all at once to eradicate the APT, he says.
Sign up for CIO Asia eNewsletters.