DomainTools is in the business of helping companies assess and protect against cyber threats. As such, it would be more than a little embarrassing if the company itself fell victim to such a threat. The job of making sure that doesn’t happen falls largely on its CTO, Dr. Bruce Roberts. He heads up the IT group for the firm, wrote the company’s security policy document and is heavily involved in security training. But, as he’s quick to point out, ensuring security really involves everybody in the company, as it should in any enterprise.
The Enterprisers Project (TEP): How do you get across the notion that security isn’t just an IT issue, that everyone is responsible in some way?
Roberts: I started pitching it to the company as, “We’re in the security space, we’re targeted. Do you want to be the employee whose laptop is compromised, leaving our CEO to have to go to a press conference about a breach of customer information?” I say this nicely, but people sit back and think, “Yeah, that’s probably not a good thing.” So that helps.
People want to do the right thing. They want to do their jobs well; they don’t want to be the person responsible for a breach. So you have to educate them and provide information in multiple forms. We do written documents, presentations, posters. We talk about breaches as case studies. I work closely with everybody here and the executive team to develop these policies and processes not in a vacuum but to get their support, so they can then bring the policies to their reports.
I also publicize specific phishing attacks. For example, there was a W2 scam going around, where people were sending emails to HR saying, “Please send us all the W2 forms.” We were targeted, but our HR manager, who’s been through the training I give, immediately brought it to my attention and knew exactly what it was. I made sure the rest of the company knew about it as well, so they understand the danger is real.
TEP: What kinds of things are in your policy manual that may be unusual?
Roberts: If you receive a USB stick at a conference as schwag, it doesn’t go on to our corporate computers. You bring it to me and I destroy it, because there are a lot of infection vectors that can come in through USB sticks. That’s probably the most unusual one.
TEP: What do you see as the largest threats looming on the security horizon that enterprises aren’t really talking about yet?
Roberts: One is adaptation. We see this on a regular basis. The bad guys change the way they do certain things when they know they can now be caught. We don’t talk a lot about how the other side has a lot of really smart humans and they’re going to evolve and change as [defense] systems change. Any product, any algorithm you build, any research method you use, has to understand that’s the case.
TEP: What do you do about that? How do you deal with it?
Roberts: You have to not rest on your laurels and think you’ve got a great system protecting you, and that you don’t have to continue to hunt for new techniques. As the individual responsible for internal security, I have to look for new anomalies or behaviors in my network and in my users’ computers that I haven’t seen before. You also have to to continue to pay attention to information out there about breaches that occur. You need to be able to understand this is a new novel technique that someone used to attack a company and make sure you understand how to protect against that.
The other thing that’s really a challenge is the sheer scope of vulnerabilities. It may get to a point where I can’t buy an unconnected fridge. That means, as an industrial user, maybe I’ve got fridges floating around in my enterprise that are connected to the network. Now I’ve got all sorts of little things in my enterprise to worry about. The Internet of Things is not just about the home – it’s about everywhere. So that’s going to bring additional vulnerabilities into enterprises that they may not think very carefully about. And sheer scope – there’s so many things out there with software in it that can be vulnerable and can be abused.
TEP: You ask employees to send you any phishing emails that you get, so you can examine them. Is there anything new or interesting you’ve been seeing lately?
Roberts: We see more targeted emails, more spear phishing than just phishing. It’s interesting the things that sometimes give it away, like using the wrong form of somebody’s name, maybe “Robert” when the employee always goes by “Bob.” We’ve had emails like that addressed to our VP of finance and our HR manager. But they’re trained to look for oddities and so immediately saw these as suspicious. Those are the things that suggest the training we do is valuable.