Howard Schmidt is no stranger to protecting digital information assets for high-profile targets. As the former White House Cyber Advisor for both President George W. Bush and President Barack Obama, he helped coordinate the federal government's interagency cybersecurity policy development and implementation. A similar coordinated, cooperative approach to cyber protection continues to be important, Schmidt said, as cyberattacks increasingly target intellectual property and industry trade secrets.
Schmidt is now a research professor at Idaho State University and a consultant at Ridge-Schmidt Cyber LLC, where he continues to help business and government improve cybersecurity strategy. Schmidt was in attendance at the RSA Conference in San Francisco in February, where he sat down with SearchCompliance editor Ben Cole to discuss modern information security vulnerabilities that should be top of mind for CISOs, and how businesses can fill these data protection holes.
How do you think people should build applications with security in mind?
Howard Schmidt: The biggest things we see when building apps are the vulnerabilities that are not intentional. For example, over the years, you write a piece of software and buffer over what you're building because you don't realize that if you don't have some boundaries on some of the software, it does create security vulnerabilities.
In order to build them more securely, you have to look for these known vulnerabilities; you have to make sure that the compilers and the software you use to create the end product indeed check for these conditions. The third thing is that when you put them together, you have to make sure you are not introducing vulnerability in one place that gives you the ability to exploit something else.
You have said in the past that the holy grail of security is to know which attacks are targeting your organization. What can a CISO do to identify these attacks and thwart them?
Schmidt: I think the biggest thing is to understand what is going on with their peers. Rarely do you see a specific intrusion set or exploit that is unique to one company or one CISO. The issue is to work together, conduct information sharing on security vulnerabilities, threats and best practices. That gives you a much better chance of reducing the risk [and] reducing the likelihood that something bad will happen to you.
How can CISOs use intelligence- and analytics-driven security? What are the benefits and challenges to this approach to information security?
Schmidt: It sort of relates to the last question you asked about the things CISOs can do. One is to create an area of situation awareness that they wouldn't have just by themselves. For example, if somebody's seeing intelligence and doing an analysis of it, that means the CISOs have a much better opportunity to do the operational things they need to do: to reconfigure systems, to work with their business partners and supply chain partners so you can all be pulling in the same direction. You can't do that if you're doing the analysis by yourself or only one piece of it. If you get the full picture, the entire situation analysis, then that makes everybody stronger.
What do you think are some of the most dangerous emerging cyberthreats to corporations? What are the information security measures and technologies that can overcome these new attacks?
Schmidt: It's always difficult to be predictive about the next generation of threats, but there are some things we need to pay more attention to. Clearly, one is the mobile environment. When there was only a few bring your own devices like the old PalmPilots and devices like that, there wasn't a lot of connectivity. You normally didn't have an IP address, so they weren't really a threat to your environment.
More on information security vulnerabilities
Mobile information management and security: The essential rules
Information security updates an important business concern in 2014
Now, virtually everything we have has an IP address. Virtually everything is connected to a network somehow, whether it's your work environment or your home environment. Those are some threats I don't think we have really thought through. We talked earlier about software. Clearly, it's an issue where some of the software is well tested and well vetted, and by the time it gets on your system you've got a pretty good assurance that it's not going to do much to you. But for other software pieces, you can download it and you don't know if there's malware in there, if there's some sort of capture software that indeed pulls out your PII [personally identifiable information] from your bank account.
The other thing that's really interesting -- and we even pay less attention to this -- is when you look at all the devices we have in our homes. The television is becoming an Internet device. Currently, it's Netflix and Pandora and those sorts of things, but eventually it will control your burglar alarm system, it will control your refrigerator, it will control your DVD player.
Hopefully, we are not going down the same path we've gone with other things. We know there are security vulnerabilities. We have to get them fixed. We have to go to the manufactures and say, 'It's great you have this application that lets me go to Facebook, but it also exposes me.' That's the next thing that we don't pay enough attention to.