As one of the nation's leading cybersecurity experts, Eugene Howard "Spaf" Spafford has provided security advice to companies, law enforcement organizations and government agencies. Spafford, who is currently a professor of computer science at Purdue University, is considered a pioneer in the cybersecurity field for his work analyzing the Morris Worm, one of the first computer worms, more than 25 years ago.
At the RSA 2014 Conference in San Francisco in February, Spafford sat down with SearchCompliance editor Ben Cole to discuss the current state of cybersecurity threats and how companies can benefit from an intelligence-driven security strategy.
A theme here at the RSA 2014 conference, and also at the ISSA conference in October, was collaboration among security professionals. What needs to be done to move this collective intelligence forward?
Eugene Spafford: The community is not well-defined as to the scope of all the things we do. We don't necessarily know who we are. I think that's part of the problem, what the scope is with the people involved in designing, building, running systems and investigating incidents. Is it security? Is it privacy? How much of it is threat intelligence? How much of it is criminal investigation? It's difficult without knowing where the center of that community is. A second aspect there has to do with, really, what are our goals? What is it we're trying to do? Are we advancing social good? The whole nature of the profession needs a little bit more definition for us to actually be able to say we're working together towards some common goals.
What do you think are some of the most alarming new methods of cyberattacks, and what security measures and technologies are being developed that can offset these cybersecurity threats?
Spafford: I don't think I've seen anything that I would consider to be a new attack. Many of the things that have been occurring are attack technologies and behaviors that have really been known about for decades. A number of the practitioners in the field today don't know about them, and certainly an awful lot of the organizations that are being attacked have not bothered to make appropriate investments in their security. When these things occur, everybody says, 'Wow, that's a surprise.' But it really isn't.
For instance, consider the recent series of attacks on point-of-sale terminals to collect credit card numbers. That's not new -- it's malware. It's going after personal information. It [has] come out in the news that the organizations involved even had security measures in place, but were ignoring the warnings. I do not think that is new. What we're really seeing that's a little bit different is on a larger scale and is a little bit more politically motivated, like the efforts of the Syrian Electronic Army. Those attacks are disturbing because we don't have a coordinated international response to wide-scale cybercrime and politically motivated behavior.
Do you think results from security analytics can be used as a competitive advantage for companies?
More from RSA 2014
New generation of data security threats forces new look cybersecurity efforts
RSA 2014: Data security experts discuss underestimated cyberthreats
Spafford: If it's used appropriately, it may help to convince management [of] the value of investment and the value of training and other issues. By having the numbers, by looking at the analysis and comparing with others in the field, that can help them adjust their investment and resources, adjust the amount of authority that's put in place. If it's used as a justification to reduce security, that is the wrong use. If it's being used to right-size security, I think it does have advantage.
How effective is intelligence-driven security, and what are some of the challenges to this approach?
Spafford: For large organizations that have the budget and the risk profile to make use of threat-driven intelligence, it's very valuable. It may give them a heads up [on] what to investigate, what to instrument, what patterns to look for. Smaller organizations are at a disadvantage because they don't have access to large sources of information. It's most valuable when it's done on a large scale, when it's aggregated amongst a sector or larger organizations. That's one of the big challenges of the intelligence-driven security information: Intelligence in general has value if your opponents don't know that you have it. Publicizing it too widely can diminish some of its value.