PayPal CISO: DDoS one big security threat among many

Stung by a high-profile denial-of-service attack in December, PayPal's CISO says application layer attacks remain a major threat to businesses in general, which need better defenses and actual testing of the DDoS tools they have.

"We need better planning as an industry," says Michael Barrett, the CISO of PayPal, whose blog site was knocked offline late last year by the political hacking group Anonymous.

IN DEPTH: Has progress been made in fighting DDoS attacks?

During a recent interview with Network World about his major security concerns and priorities for 2011, Barrett also listed advanced persistent threats (APT) as a major worry and the need for legislation to improve Internet security. In addition, he says that the payment card industry (PCI) standards for protecting credit card information need some tweaking to give businesses more flexibility without hurting security.

But as for DDoS attacks, businesses need to plan defenses and confirm how well they will handle real attacks to live networks, Barrett says, because tests in simulated environments don't scale large enough to adequately stress the defenses.

Another problem is that testing the actual network gets in the way of doing business. "We have to do more testing, but we haven't figured out how," Barrett says. "You can't shut off the Internet for a significant length of time."

As for APTs, Barrett says they pose two big problems: how to detect them since they are typically hard to find with signature-based tools, and what to do about them when they are found. APT code is designed to burrow into networks and resist eradication so even if one instance is discovered and cleaned, others remain to carry out malicious activity, he says.

A piece of malware found on a PC, for example, could be a simple virus infecting one machine or it could be the sign of something more sinister trying to steal intellectual property or customer records. An APT sent by a determined adversary likely means there is also a backdoor to let in more malware, he says.

"If you react to one backdoor at a time, you wind up playing a game of whack-a-mole," he says. Plus taking down just one instance of an APT and leaving the rest may tip off the attacker that it's time to enter the next phase of the attack, he says. Honey pots can help determine the nature of discovered threats and whether they represent random infections or sophisticated targeted attacks, Barrett says.

One piece of the solution is better network-based detection tools to augment e-mail, Web proxies, antivirus and anti-malware applications. These additional detection tools should seek anomalous behaviors networkwide so corrupted machines can be found and cleaned all at once to eradicate the APT, he says.

The true size of APT infection is difficult to know because it is so stealthy. "Many CISOs have been operating on the assumption that since they didn't know of anything, there wasn't anything," Barrett says.

On the matter of PCI standards, he feels that businesses need more flexibility in implementing security measures that guard against identified threats. The standards which have been criticized for driving the bulk of security spending for those companies that must comply with them, could use some refinement, he says.

Overall they address important concerns and impose security measures that can only benefit network security, he says. "I simply do not believe that these absolute minimum thresholds will force you to do things you shouldn't be doing already anyway," he says.

But the standards are vague in some areas and others are too specific, he says. For example, under the regulations certain traffic requires stateful packet-inspection firewalls. "What if you used another technology that was the equivalent? Then you'd get in an argument with your QSA [qualified security auditor required by PCI]," he says. "PCI should be more risk-based with more options and less that is proscriptive -- it's both too proscriptive and too vague at the same time."

2011 is a good time for security professionals to help shape needed Internet-security laws, Barrett says. "Technology is not legislators' strong point," he says. "The industry needs to spend some time educating Congress and its staff on issues to ensure what they do makes computing and the Internet safer and not less safe. They need to avoid the law of unintended consequences."

The top issue they should address is enforcement of cybercrime laws. Theft of $10,000 worth of goods online using fraudulent credit cards is unlikely to attract an aggressive prosecution, even if prosecutors knew who did it. The same theft from a brick-and-mortar retail store would attract an aggressive investigation, he says. "It's not lack of interest. It's that prior cases have been based on financial loss. $10,000 is not enough." In prosecuting real-world vs. online crime, there should be no significant difference, Barrett says.

Barrett says the industry should also support creation of a presidential commission to study cybercrime and find out how much is really lost directly or indirectly to cybercrime. He says he's heard estimates ranging from $2 billion to $26 billion in the U.K. alone, and estimates as high as $2 trillion worldwide.

Along with that, the commission should assess how seriously other nations treat cybercrime. For example, he says many people say Russia doesn't investigate cybercrime because of corruption, but that isn't always true. "There may be problems, but it does prosecute and sometimes punishes," he says. The goal should be to figure out how to encourage more reliable prosecutions. "Like terrorism, we need to study other governments and see how seriously they'll treat it."

The Convention on Cybercrime, an international treaty signed by the European Union and the U.S., sets encourages international cooperation in prosecuting cybercrime and setting up appropriate laws to do so. Signed in 2006, it doesn't yet have the teeth to be effective, Barrett says. "The mechanisms are 19th century," he says. "I've never seen a cyber investigator who asked for help [from another country] and got it in less than six months. The bureaucracy needs to be fixed."

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags e-commercesecuritylegalpaypalinternetcybercrime

More about APTISOLANPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts