Or: why “advanced persistent threat” is the wrong phrase
Google's revelation that it was hacked by (likely) Chinese actors has helped propel another round of stories, blog posts, and analyses about What It Means. I have participated in some of these discussions, and my colleague Chenxi Wang has written severalilluminating posts about the nature of the attacks.
The specific means of compromise, a zero-day Internet Explorer exploit, has raised awareness of a phenomenon referred to as the “Advanced Persistent Threat,” concisely described by Lockheed Martin’s Mike Cloppert as “any sophisticated adversary engaged in information warfare in support of long-term strategic goals.” In his posts, Mike also nearly always uses APT in conjunction with the word “actor” (as in: APT actor) because he means a particular adversary. Mike's definitions are important because they help clarify what APT is, and what it is not. Expanding on his definition a bit, here is what I believe APT is:
NetApp is an industry-leading provider of storage and data management solutions. It has a presence in more than 100 countries-- thousands of customers and a network of more than 2,200 partners-- and a culture of innovation, technology leadership, and customer success. The company was seeking to build higher brand awareness and deeper engagement with employees, customers, and partners and decided to deploy both customer and employee communities.
Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.
The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.
The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.
A few important highlights to pay close attention to in the cyber security sections are:
If you have been following this blog, you might remember that I posted this a while back. But with the new year here, I thought it might be good to repeat some of the case studies while adding new ones... just incase you missed them or incase you wanted a refresher as you start down the path of providing a solution to your company social media needs!
Remember that great song... "Can't get no... Satisfaction..." Some how I think that is the national anthem of most customers. Why is it so freaking hard to get satisfaction?
Consumer Business Group (CBG) — formerly Linksys — is a division of Cisco that offers a wide variety of consumer and small office voice over IP (VoIP) and networking solutions such as routers, switches, and storage systems under the Linksys by Cisco brand. CBG has long held a reputation for excellent technical support and has developed a number of innovative approaches to contain support costs while still offering responsive service. One key initiative was the introduction of an online customer support community.
Just got back from the Lotusphere conference in Orlando (which sure beats Boston these days in the weather department – thanks, IBM!). At one of the sessions, IBM execs gave their take on the Web content management (WCM) and portal markets. Or should that be market? IBM is betting that the WCM and portal markets will converge and cease to be separate markets, with vendors offering combined WCM/portals suites that have one administrative tool set, one presentation management structure, one repository, and so on. From a road map standpoint, IBM is also making it clear that they don’t have a “portal plan” or a “WCM plan”, but rather an “experience” plan that includes both portal and WCM.
Will it really happen? Certainly, many intranets and extranets rely on content/experience delivery via portals. Also, many companies utilize public-facing Web sites for customer self service – a good fit for portal delivery. Already, SharePoint has made some noise with WCM and portal functionality within a single product. And given many firms’ clunky customized WCM/portal integrations, IBM can look attractive with its combination of Websphere portal and Lotus WCM.
So what are the obstacles to total WCM / portal convergence?
A good chunk of customer experience sites that still don’t necessarily need the user-customization and application consumption capabilities of a portal.
Where do architects spend their time, and is this where they should be spending it? I participated in a webinar this week hosted by Architecture & Governance magazine, along with George Paras. We discussed ‘the state of EA in 2010’ and the transformation of EA from a technology focus to a business focus. During this webinar, I showed this data from Forrester’s annual State of EA survey.
Google called again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is: "This is not accurate." So, I should rephrase how the attack happened:
a) A Google employee's machine that was running IE v6 was compromised via the IE vulnerability.
b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that "the compromised client used their corporate VPN to gain access to the servers." At Google's request, I retract that particular statement.
This is what we do know factually:
1) The attack on the Google server happened.
2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.
Could these two things be entirely unrelated? I doubt it. But Google isn't going on the record to say that the attack came in via the VPN, and that's their official position.
On a positive note, Google is actively trying to schedule the security interview with me. So hopefully I'll have more to report shortly.
By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet markets, as well as the already tenuous relationship between US and China - it is no wonder this attack is drawing the attention of headlines worldwide.