Debating Cyber Warfare – Still more questions from .GOV (Part III)

In this closing article, last in a set of three, I discuss some international treaties that may or may not apply to Cyber Security. Again I would like to note that the answers I give are merely my opinion on the matter. This article is comprised of two questions. Without further ado:

In how far can international codes of conduct in using the digital domain contribute to increase Cyber Security? Can we learn from experiences with existing codes of conduct such as in the area of non-proliferation?

Fading national borders and defacto international routing of data traffic are a property of cyberspace we can’t escape. This makes international relations and codes of conduct essential, especially when considering fighting cyber crime. This calls for Law Enforcement Agencies and Justice departments of multiple countries to work together to stop criminal enterprises in their tracks. International cooperation amongst law enforcement agencies in taking down cyber crime rings has been taking place for several years now, and although not nearly as successful as we’d hope, they did have some successes. For an excellent read on this subject, I recommend Joseph Menn’s Fatal System Error.

As for Cyber Warfare and Cyber Conflict, there are various internationally accepted legal frameworks and cooperative initiatives that can provide some help with increasing security in Cyberspace. Consider the Law of Armed Conflict or the Universal Human Rights, both of which have received wide adoption and have led (and still lead) to increased cooperation among nation states. Connecting to existing initiatives in this area is therefore highly recommended.

Although Non-Proliferation has a similarly high adoption rate, using this as an example may very well give off the wrong idea because of the emotional ‘weight’ associated with nuclear weapons. Cyber weapons are not currently anywhere near the immediate physical threat that nuclear weapons pose, nor is it feasible to attempt to restrict development or trade of cyber weapons. Cyber weapons consist of computer code and knowledge of the target system or application. Anyone with enough knowledge can create one, and all it takes is a computer. Connect that system to the internet and proliferation is both virtually immediate and unstoppable.  

How can NATO and the EU give substance to the principles of Common Defence, Deterrence and the Solidarity clause when considering cyber threats? How can NATO and the EU improve the information exchange with regards to threat analyses?

Existing initiatives within NATO and the EU offer excellent opportunities in this regard. For instance, a better connection to the NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a very good idea. The CCDCOE was founded and sponsored by a number of nations, but the Netherlands was not one of them. It is still possible to become a sponsoring nation by signing its Memorandum of Understanding and after looking at its Mission statement revolving around cooperation, I highly recommend our government does so. Aside from this centre, NATO’s own C3 agency has various endeavors with regards to Cyber Security that we here in the Netherlands might be able to get an advantage out of.

All in all, it’s safe to consider that our best bet lies in engaging in cooperation with other culturally similar nations. Most western nations are as connected to the Internet as we are, and they share our understanding of how critical cyberspace is to us and our economies. Together we simply have a much better chance of improving our situation online.

Linking Cyberspace and 4th Generation Warfare – Act Deux

After writing the article “Cyberspace and 4th Generation Warfare – A Marriage of Convenience” I received many questions and comments that really stirred the conversation. I’d like to further clarify some points and make some more links based on (among other things) observations stolen directly from John Robb’s blog. I hope mr. Robb doesn’t mind my poaching his IP too much as I make my way forward in linking his theories to how I see the future of cyber conflict.

“Terrorists won’t use cyber…”
The first comment I received, and one that is likely to persist for some time, was that terrorists prefer -and will likely continue to prefer- the more kinetic approach to critical system attacks. I agree. However, my article was about the fact that those who wish to disrupt critical systems and services could (also) do so through cyber attacks. I will grant that these are unlikely to be the same people who are now attacking through kinetic means. This does not mean that cyber attacks to critical systems won’t happen. It is easily conceivable that online collectives such as Anonymous and LulzSec, who are known to harbour militant types, will eventually get bored with relatively innoccuous attacks and start targetting digital weak points to critical infrastructure to bring their point across.  The fact of the matter is that collectives such as Anonymous have, despite the nuisance they have caused thus far, barely scratched the surface of the power they could wield.

The Diginotar attack, that is claimed to have been perpetrated by a single attacker  calling himself ComodoHacker, is a prime example of how powerful cyber attacks can be when applied against critical infrastructure.  This is asymmetric warfare at its finest. By cracking the security of a Root CA he managed to undermine all the systems (blindly) depending on it. Windows Update -thus bringing all Windows based systems within reach of compromise- and the entire Dutch governments’ digital ID system for citizens to name but a few. Whether this was a state-sponsored attack by Iran or the act of a single individual is still a matter of debate. The CEO of Comodo apparently believes that it was state-sponsored, the attacker himself claims that it was retalliation for the Dutch involvement at Srebrenica. Either way, the attack was a massive success and demonstrated the weak points in the CA system.  

“How is Open Source a good example?”
I received some comments that made it obvious my reference to the Open Source community missed its mark a little, probably because I had to cut some corners left and right to keep the article from bloating into a whole thesis. I was referring to the underpinning philosophy from Eric S. Raymond’s Cathedral and the Bazaar, not to any endproduct, individual, group or community specifically. To be more specific, the following points have served both the Open Source community and the Global Guerilla community very well. Im sure it will do the same for cyber conflicts:

  • Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.
  • Given a large enough pool of co-developers, any difficult problem will be seen as obvious by someone, and solved. Eventually some participant of the bazaar will find a way to disrupt a particularly difficult target. All you need to do is copy the process they used.
  • Your co-developers (beta-testers) are your most valuable resource. The other guerrilla networks in the bazaar are your most valuable allies. They will innovate on your plans, swarm on weaknesses you identify, and protect you by creating system noise.
  • Recognize good ideas from your co-developers. Simple attacks that have immediate and far-reaching impact should be adopted.
  • Perfection is achieved when there is nothing left to take away (simplicity). The easier the attack is, the more easily it will be adopted. Complexity prevents swarming that both amplifies and protects.
  • Tools are often used in unexpected ways. An attack method can often find reuse in unexpected ways.

“But what’s with this Bazaar business?”
In his book, mr. Robb points out that you can essentially outsource Terrorism. There is a whole black “Terrorist Market” -or Bazaar- out there where you can buy or hire virtually every individual piece of a terrorism-puzzle, from engineers specializing in crafting IED’s to the people willing to plant them at a road or intersection. This has also been the case in cyberspace. You can visit a carder website to get yourself set up with a whole batch of stolen creditcard and/or social security numbers, attend 0-day auctions to get the latest hacks or approach hacking groups to outsource the entire attack; everything is possible online in the Cyber Bazaar.

“Exactly what are our problems in Cyber Security?”
This paragraph was surprisingly hard to come up with, because for the most part “Cyber Security” is just a fancy way of saying “IT Security”. In other words: Most issues we see now are not new. They’ve been around for a long time: IT-clueless managers, poorly trained technical staff, snake oil security vendors, misconfigured systems, lack of insightful security strategy et cetera. Most of these topics have been debated on and written about ad nauseam -I’ve written quite a few myself- so I won’t be addressing these in this article. The trouble for me was to define what the difference really is between IT Security and Cyber Security, and to pluck out the issues specifically related to the Cyber part of Security. Surprisingly, not many remain. Because most ‘cyber issues’ are arguably just IT Security issues and a matter of scale, it is my belief that the remaining issues specific to Cyber are Societal or Organizational. In fact I couldn’t think of any particular IT issue that wasn’t an issue when we still called it IT Security.

Societal Cyber Issues
When I speak of Societal Cyber Issues, I refer to the effects on society when certain critical cyber systems go down. For instance: What happens in society when a hacker brings down the powergrid? Im strictly limiting this section to the philosophical side, not the resolution of detected issues because these are Organizational issues (next paragraph).  There are Master degree programmes specifically for writing scenario’s such as these and hiring these specialists will probably yield very valuable results. Of course, running (multi)nation-wide cyber scenario’s are a great method for uncovering the societal and organizational issues too.

Organizational Cyber Issues
The organizational cyber issues are essentially the resultant “how do we fix this” issues derived from the aforementioned scenario’s. Many organizations are -for instance- not at all prepared to respond to major, prolonged power outages. It is my belief that many companies will go belly-up entirely in such an event. Furthermore, these kind of issues tend to stack so multiple major problems can arise from one root cause. Good examples of relevant Organizational Cyber Issues can be found in environmental disasters such as Hurricane Katrina hitting New Orleans. Due to organizational failures, this major US city still hasn’t fully recovered.

Looking for solutions
Essentially we need to start thinking more in the terms of individual platforms. In his book mr. Robb uses power generation and power distribution as an example. Currently we see “the power grid” as one big piece of critical infrastructure. In reality this can be separated into two concepts: Power Generation (powerplants) and Power Distribution (power cables, transformer substations etc). Right now the system is heavily centralized, with power being generated at large concentrated plants and distributed one-way over the power distribution network. This system contains multiple weak points that can bring down large parts of the grid when attacked because of its centralized nature. Take down a major power plant or simply cut the right cable and you may black out an entire city.

In this scenario, major weaknesses can be eliminated by allowing individual homes to power the grid with their surplus energy generated from solar panels and windmills.  This decentralizes the powergrid by creating thousands of miniature power plants. This is only possible if you redesign the current power distribution network to accept two-way distribution. This is further eased by using Open Standards that enable everyone to ‘plug in’ their home’s power generator(s) using easily obtainable, non-proprietary hardware. This idea is not new. You can actually find several places that already have such a powergrid, and citizens get paid for power they deliver to the grid (their meter simply spins backwards).

It is ideas such as these that we must explore if we wish to become more resilient against attacks on our critical cyber infrastructure. I would love to hear of examples, so if you know of any please contact me.

PFC Parts’ Delectable Cyber Security Shopping List

Over the last two years I’ve seen several outcries over the supposed great shortage in capable Cyber Warriors. But what does this mean, in terms of required skills? Most articles seem to ask for quite a lot; their Cyber Warriors seem to be required to be able to defend their networks (CND in military parlance), attack their adversary’s network (CNA), engage in Cyber Espionage (CNE), reverse engineer malware and probably a bit more. I found it hard to get a single answer, but SANS seems to agree with the previous list. At least, they do if you go by their Cyber Guardian program, which is essentially a group of SANS certs stacked together. But realistically: Do you really need such heavily certified people at every position? And that’s not even going into the deeper issue of how capable these people actually are. After all, they may well have gotten through all these exams by just being really good studies (rather than actually understanding the material).

An article at NPR quotes a James Gosler who is, apparently a ‘veteran cybersecurity specialist who has worked at the CIA and the NSA’ though they don’t explain what standards they used in determining his skills. In the article Gosler states that the US would need between 20.000 and 30.000 cyber warriors. Its a number that keeps coming back, but its not really elaborated on in the article.

A study done by the US Center for Strategic and International Studies (CSIS) also speaks of a human capital crisis in Cyber Security and may offer some insights that can also be used outside of the US, though of course the numbers will vary. CSIS uses roughly the same numbers as the article but mention that there are a variety of people and skills involved. From the appendix in the report we learn that CSIS found a shortage in the following roles:

High Priority
CISO’s
Systems Operation and Maintenance Professionals
Network Security Specialists
Digital Forensics & Incident Response Analysts
Information Security Assessors

Medium Priority
Information Systems Security Officers
Security Architects
Vulnerability Analysts
Information Security Systems & Software Development Specialists

Low Priority
Chief Information Officers
Information Security Risk Analysts

 

(more…)

Dutch Cyber Security Council Invested

As part of the Dutch National Cyber Security Strategy that was launched earlier this year, one of the two new entities has officially been stood up. On June 30th of this year, Dutch minister Ivo Opstelten (Ministry of Security and Justice) officially installed the Cyber Security Council. The council will be advising both government and private parties on relevant developments in the area of digital security.

The council will make a priority of IT threats, will look into the necessity for further research & development and will investigate how this knowledge is best shared between collaborating public and private parties. The council will also expressly look to basic values such as the importance of privacy or fundamental rights such as freedom of speech and gathering of information. The foundation of the advice the Council will supply will lie in public-private risk assessments. The first threat analysis in the area of Cyber Security will be expected in October this year.

According to this government publication (warning, Dutch) the Cyber Security Council has been assembled based on balancing the public, private and scientific community with a broad spectrum in relevant Cyber Security issues and angles. It will feature a dual chairmanship. The Council currently exists of the following members:

  • Eelco Blok, co-chairman of the Council, CEO KPN;
  • Erik Akerboom, co-chairman. National Coordinator for Counterterrorism
  • Harry van Dorenmalen, on behalf of the IT suppliers, chairman IT~Office and Chairman IBM Europe
  • René Steenvoorden, on behalf of the major IT end users, chairman CIO Platform and CIO Rabobank
  • Frank Heemskerk, on behalf of the end users and SMEs, chairman of the ECP-EPN Supervisory Board and member of RVB Royal Haskoning;
  • Ben Voorhorst, on behalf of the vital infrastructure, operational director Tennet and member of RVB Tennet;
  • Professor Corien Prins, Tilburg University;
  • Mark Dierikx, DG Energie, Telecom and Competition, Ministry of Economic Affairs, Agriculture and Innovation;
  • Mark van Nimwegen, Board of Prosecutors General, cyber crime portfolio holder;
  • Professor Michel van Eeten, TU Delft;
  • Major General Koen Gijsbers, Chief Director Information Provision and Organisation, Ministry of Defence;
  • Professor Bart Jacobs, Radboud University Nijmegen;
  • Ruud Bik, KLPD Chief Constable;
  • Jan Kees Goet, deputy Head AIVD;

The installation of the Cyber Security Council acts as a prelude to the investment of the National Cyber Security Centre, which is to be made operational on January 1st, 2012. The NCSC is to be the operational centre of knowledge and expertise brought together by a collaboration between the public and private sector. Though it is absolutely a positive development that the Cyber Security Council has been made operational so quick, it is sad that the Dutch government did not provide a public course for other interested parties to participate. Obviously the first batch of members have been hand-picked and as such it could hardly be called a democratic process. Let us hope that this is changed rapidly so that more parties with experience in Cyber Security and Cyber Warfare can start assisting the Dutch government.

 

Security Awareness and Why Things Aren’t Improving

Earlier this week news broke of Google’s interruption of a large-scale phishing expedition, which alluded to some state involvement of China. This inspired a host of experts to write about it and J Oquendo’s article on InfoSecIsland inspired me to write mine. In his article mr. Oquendo asserts that its remarkable (read: stupid) that US officials still seem to be using commercial email services such as GMail for exchange of security sensitive and sometimes mission-critical information, instead of using the available high-security services offered by the US Government that they should be using. In this day and age, with a nearly constant barrage of security breaches in the news, people don’t seem to be getting any more aware of security issues.

In the area of User Security Awareness, things aren’t improving at the pace they should. The Internet (and related technology) is not New anymore. While the usage of internet technology has grown exponentially over the last decade, its users have not grown much wiser in terms of security. Largely this is because the common online populace simply does not see the danger in having their online identities compromised; its too abstract a notion for most people. Until the very real and practical downside of getting compromised hits them on the nose, they won’t care. There is a whole industry revolving around protecting you and recovering you from identity theft, and that is both a blessing and a warning. The many problems a person can experience from being a victim of Identity Fraud can take years to resolve. Years during which you are most likely to have bad credit (even when the bank knows you’ve been victimized!) or even be in debt for thousands of dollars for purchases you have never made. Living through such an experience is probably a real eye-opener, but we can hardly put everyone through such an ordeal just for security’s sake.

Provided all your friends would actually listen to sage advice, what would you even tell them? (more…)

Dutch National Cyber Security Strategy – Blessing or Curse?

Around September last year I wrote an article on the Dutch government promising a Cyber Security doctrine that was to determine the strategy the Netherlands was to follow in the areas of Cyber Crime, Cyber Warfare and generally all things related to Cyber Security. Well this document has finally arrived, and can be found here (PDF alert – Dutch). Its a decidedly vanilla document with not much meat to it, and the approach our government has taken looks a lot like that of the UK. That is to say: defend and extend on the commercial interests, partake in the various international initiatives pertaining to Cyber and don´t rock the boat too much (cost-wise).

The document outlines the following starting points:

  • Connect and Strengthen existing initiatives
  • Invest in Public-Private collaborations
  • Personal responsibility (referring to endusers protecting their own systems)
  • Division of Responsibilities of the various Departments
  • Active international collaboration
  • All actions to be undertaken are proportional
  • Selfregulation if possible, legislate if not

The list obviously isn´t anything new or exciting and has the added value of being very low-cost or even free. Its about what you´d expect from a government that has to take a 30 billion spending cut. One has to wonder about the effectiveness of such an approach, seeing as how most of these points have been in place (and followed) for a while and have yet to yield the desired results. Taking a look at the proposed action plan, we see corresponding initiatives:

Creation of a Cyber Security Council and National Cyber Security Center
The cabinet establishes that caring for Cyber Security is now a burden for a multitude of organizations and departments, and so they wish to unify all these efforts into two centers: The National Cyber Security Council and a National Cyber Security Center. The Security Council is the new organization where the strategy will be established by representatives of all involved parties. The Cyber Security Center will essentially be its  executing branch, and act as a place where information, knowledge and expertise is shared amongst the participants. The government urges all public and private parties to join in, and is working on a collaborationmodel to this end. They also intend to expand and strengthen GOVCERT, and to make GOVCERT a part of the Security Center.

Create Threat- and Risk analyses
By sharing information, knowledge and expertise, the cabinet aims to build threat- and risk analysis so that they can chart weak spots and strengthen the segments that need fixing. The  AIVD and MIVD (Dutch Intelligence communities) will insert their knowledge and if necessary, increase their cyber capabilities. This initiative is to yield a yearly National Threat Assessment, which is to inform the Government on current or pending risks.

Increasing resilience of critical infrastructure
The Dutch approach to Cyber Security has so far always hinged on business continuity rather than prevention or actual security. The document refers to an existing initiative from the ´old days´ called the CPNI (Informatieknooppunt Cybercrime, or Infopoint Cybercrime), and how this initiative is eventually to be folded into the Cyber Security Center. Also, the existing Telecommunications Act will be actualized in 2011 to accomodate for various new factors. Through the following measures, the government hopes to create more Cyber Security momentum:

(more…)

Cyber Warfare Semantics – Can’t we all just get along?

A great many people (expert and layman alike) have been fighting a war on Cyber Warfare semantics these last few months. Some argue that Cyber Warfare is really nothing more than cyber espionage, others even completely dismiss the notion that Cyber Warfare exists. Regardless of your opinion, Cyber Security in general and Cyber Warfare specifically are the talk of the town. Books are written, blogs are typed up and experts roar their opinions from every soapbox they can find. But whats the point?

Cyber Warfare only covers military networks
Every security expert worth his salt will agree with the simple statement that Networks- and Systems security permeates every aspect of today’s society, and it is woefully underappreciated. Everyday life is controlled by all kinds of systems that find themselves connected to the internet, whether they should be or not. To think that this fact has gone unnoticed by military leaders all over the world is simple folly, and it is demonstrably false. Based on books about asymmetrical warfare such as Unrestricted Warfare (Q. Liang & W. Xiangsui, 1999), there  is much to say about targetting civilian systems during times of war, and so it would be unwise to think that only military networks would be targets during a cyber war.

Cyber Warfare is really just Cyber Espionage
Some people argue that Cyber Warfare is just digital espionage, and at best we could call it Cyber Espionage. This is probably based on China’s numerous cyber espionage operations, but to think that this is the limit of what cyber warfare can do is naive. Even though there is no definitive proof -always a key issue in everything cyber- that it was Russia, those DDoS attacks on Georgian government websites at the same time their tanks came rolling across its borders were timely to say the least. It could also certainly be argued that Stuxnet was politically motivated. Seeing as how War is the “continuation of Politics by other means”, this means it falls within the realm of cyber warfare.

Cyber Warfare doesn’t exist
This is the Big One; the Big Denial. Its generally backed up by saying that the Cyber Warfare terminology is (mis)used to pull in a larger piece of the government budget, or to cede more control to the military. In some cases I’ve even seen this statement followed by several reasons that confirm that Cyber Warfare does exist, but that we shouldn’t call it that because it has such ‘negative connotations’. But when 150+ countries worldwide are ramping up their militaries to deal with Cyber Warfare, what is the point of such semantics? Sure, it can be argued that Cyber Warfare is nothing more than IT Security with a military flavor. In many ways it is. But is not the application of use most prevalent in determining the meaning of an action? Is intent not the determining factor in a Murder or an Accident, the factor that turns a kitchen knife into a murder weapon? The same can be said for guns. One man using a gun to kill someone is murder. When battalions of two or more nations engage eachother for political motives, this turns it into War. The same reasoning can be applied to IT Security: If it is used by one nation state to further its political will upon another nation state, this is Cyber Warfare.

IT as a sector has historically been the realm of Geeks, Nerds and the Socially Awkward. You may not like it or agree with it, but this has been mainstream consensus for decades (though it is declining as technology becomes more common). IT Security as a specialization has historically been the realm of the Paranoid and the Technically Gifted in IT. You may not like it or agree with it, but this group is generally considered the Nay-Sayer of the IT world (though it is declining as Security becomes more important with the rise of internet connectivity). Cyber Warfare is a fringe area. A niche; a specialization in a specialization. Information Security is poorly understood by the mainstream populace, a fact well evidenced by the digital exhibitionism taking place on the various social networking sites. In fact, it is even poorly understood within the IT sector itself. How is the mainstream populace ever to understand how important Security is, if we can’t even reach consensus amongst ourselves?

I feel that it is important that all of us should stop arguing over Semantics and start working together constructively. It is important for the IT sector as a whole to form a united front if we are to positively influence the security habits of those who we aim to help.

Monetary Value per System Owned – The Evolution of Endpoint Attacks

Endpoint Security remains the name of the gameRecently some people working for a client of mine expressed the sentiment that they felt that their business wasn’t a target for an actual hacker (as opposed to automated attacks). This despite the fact that they had been attacked on two different occasions in a manner that indicated it was the same (thankfully clueless) attacker. Also, the company in question is doing business in a field that seems especially ripe for the proverbial plucking; a lot of money is being made by virtually every player there. One would think that security would be a bigger issue for these folks, but apparently the message hasn’t fully landed everywhere.

This got me thinking about endpoint security and how incredibly understated (and often underestimated) the need for security is on these machines. In many companies it is the largest group of machines in the network, owned and operated by the least technically skilled and security-ignorant users in the company, yet most companies consider the protection of these systems as an afterthought. “Just install AV, Jimmy. That’ll do!” they say, and turn back to tweaking their firewalls (if you’re lucky).

At the same time, an attacker simply lures the gullible users to a specially crafted malicious website or sends out a mass mailing of an infected PDF. Despite having been told thousands of times before not to open attachments from people you don’t know (or that you don’t expect), you just know that someone will do it anyway. And really, all it takes is a single user to take leave of their senses to create a backdoor into your network. I would also like to point out, because this thought seems to float around a lot, that no amount of Group Policy settings will change the outcome. What you need is user sensibility and proper endpoint protection.

Considering the above point and observing the evolution of the purpose behind botnet malware, it becomes clear that the shift is financially motivated. A few years ago botnets were used mostly for DDOS purposes, but ever since there has been a change towards monetary gain. From basic DDOS, the botnets were deployed to make money through click-advertisement programs and surfing behavior studies. After that came the stealing of financial information, often leading to credit card fraud, and identity theft. Currently we’re seeing the re-emergence of ransomware, where user data is being held hostage until the user pays a certain amount before a deadline. If they don’t pay, their data is lost forever.

The criminals involved (often organized crime) seem to be refining their strategy. Where they once made relatively small amounts with a large number of systems they now aim to make a larger amount per system. Essentially they realized that there is a Monetary Value per Owned System, and by becoming more efficient they are raising that value per system to maximize profits.

This idea swam around in my head for a while. What would I do to make the most money? If the idea is to squeeze the most cash out of each system, then we should be looking for the systems that have the most potential cash to be stolen. For me, this ruled out the average internet user. You’d have to be very lucky to stumble onto a rich and clueless target, there just aren’t that many around. Also, how would you know that your target is actually wealthy?

The answer was simple: Companies. Companies usually have deeper pockets than the average internet user and the ways to exploit them are myriad: extortion, data theft, corporate espionage, credit card fraud; you name it. There’s another upside to this approach: most companies deploy their workstations through imaging. That often means that if one workstation is vulnerable to a certain attack, chances are good that the other workstations in the network are too. More targets mean more potential access to the information I’d want. Also, in most cases the users of said workstations are a lot less motivated to be secure; its not their workstation and its not their money.

Following this logic, the future of corporate security looks grim. Workstations are a hell of a lot more tempting a target than any server; they are easier to crack and there’s a lot more of them. Administrators need to realize that attackers (both real and automated) won’t attack the shield you hold up, but rather go after the target behind the shield in any way possible. This means that the hard-shell/soft-interior methodology in securing a network is dead, and actually has been so for quite some time.

Endpoint protection will remain the name of the game, and what software vendors are doing right now isn’t working. Its a failing approach, something that’s becoming increasingly obvious with each new report of a major breach. A change needs to be made before Organized Crime realizes its full potential.