March 01, 2011, 8:08 PM — Stung by a high-profile denial-of-service attack in December, PayPal's CISO says application layer attacks remain a major threat to businesses in general, which need better defenses and actual testing of the DDoS tools they have.
"We need better planning as an industry," says Michael Barrett, the CISO of PayPal, whose blog site was knocked offline late last year by the political hacking group Anonymous.
During a recent interview with Network World about his major security concerns and priorities for 2011, Barrett also listed advanced persistent threats (APT) as a major worry and the need for legislation to improve Internet security. In addition, he says that the payment card industry (PCI) standards for protecting credit card information need some tweaking to give businesses more flexibility without hurting security.
But as for DDoS attacks, businesses need to plan defenses and confirm how well they will handle real attacks to live networks, Barrett says, because tests in simulated environments don't scale large enough to adequately stress the defenses.
Another problem is that testing the actual network gets in the way of doing business. "We have to do more testing, but we haven't figured out how," Barrett says. "You can't shut off the Internet for a significant length of time."
As for APTs, Barrett says they pose two big problems: how to detect them since they are typically hard to find with signature-based tools, and what to do about them when they are found. APT code is designed to burrow into networks and resist eradication so even if one instance is discovered and cleaned, others remain to carry out malicious activity, he says.
A piece of malware found on a PC, for example, could be a simple virus infecting one machine or it could be the sign of something more sinister trying to steal intellectual property or customer records. An APT sent by a determined adversary likely means there is also a backdoor to let in more malware, he says.