ExecutiveBiz recently spoke to Steve Hakwins, VP of Information Security Solutions at Raytheon. He told us about his company’s offerings in Information Security, what makes a good cyber warrior, how to recruit and retain the best cyber talent, and what every executive needs to know about cybersecurity.
ExecutiveBiz: What makes a good cyber warrior?
Steve Hawkins: We are looking for individuals with software, hardware or engineering work experience, someone who understands the interworking between the software and the hardware, in other words what lies between the operating systems and the computer hardware itself. Let me contrast that a bit. If you look at most software engineers today, they use higher level languages that have been developed so that they can write at an application layer very efficiently. If you look at where malware gets embedded in systems and where it attacks, it is where the operating system interacts with the hardware. What we try to do is get individuals who have built operating systems, individuals who have done rigorous testing at that level, including stress testing: pushing things until they can’t operate any more, individuals that understand the inner workings of the microcode between the hardware itself and the software at that level. I always tell people that if you look back 15 years at how you could create software with assembly language in machine code, it’s almost that skill-set.
The most significant threat to corporate America is individuals opening attachments on emails without paying attention to who is sending it to them. That’s where most malware comes from. -Steve Hawkins of Raytheon
ExecutiveBiz: What are some of the tools in a cyber warrior’s arsenal?
Steve Hawkins: They are the tools and the techniques that it takes to assess vulnerabilities in systems. Everything is designed for an intended purpose, but nothing is designed perfectly, and it is through those unintended functions where hackers will hack into the system. We have quite good automated software tools for going into those basic levels of hardware-software interaction and finding vulnerabilities on a really large scale. Part of it is training individuals to use those tools to be able to go in and find those vulnerabilities, determine if someone is exploiting them, and look for ways to basically fill up the hole that they’ve found so that no one can hack into your system.
ExecutiveBiz: What do you think is the most overlooked aspect of cyber security?
Steve Hawkins: I think there has been much more emphasis on protecting networks from the outside threat, and I think there needs to be more emphasis on the insider threat. Insider threats can be malicious, but it can also be unintentional. Once someone has penetrated from the outside and is in your network, they have become an insider. Being able to monitor that inside activity is very important.
ExecutiveBiz: What is the best way for businesses to protect against those insider threats?
Steve Hawkins: We actually have some insider monitoring software that we use as a host-based software that goes on every machine or laptop and is based on a set of policies or rules. It will monitor the activity of individuals across your organization and make sure they are adhering with the policies that you have put in place. Let me give you an example: if you came in and denied the use of a memory stick inside your organization, you’ve got to have something on the computer that will monitor if someone attached a memory stick to it or hooked an iPod up to charge when they weren’t authorized to do so. A little more sophisticated policy is you will allow a memory stick, but you won’t allow any proprietary information to be moved to it. You have to have the policy set around files and file areas where proprietary information is stored and you can detect when any of that activity takes place. The reason we are host-based on local machines is that the alternative is to do network monitoring, where you can only monitor transfers across the network. If someone were to disconnect their computer from a network and download files to a thumb drive or if they were to do the disconnect from the network – encrypt some proprietary data, put it in a new file name, then re-connect and transfer it off-site — monitoring at the network level won’t catch these types of issues. It is important that your monitoring is based in the host environment and it’s essential that you have a clear set of policies that really deter the activity that you want to prevent, and effectively regulate and monitor who can share what information with whom. Only then can you address that problem – whether it is inadvertent or malicious. You can see that activity and it will set flags and on a particular capability as a forensics platform, but then you can go examine the activity just like a DVR. You can replay every mouse click, every movement they took so you can see exactly what was going on. You can really see the intent. Was it malicious or was it just an accident?
ExecutiveBiz: What would you say your ratio of government to commercial clients is for this particular service?
Steve Hawkins: it is 80% government and I can tell you that we are the selected solution for the focused observation by DISA for all of DoD. I can’t mention them by name, but we also support a number of Fortune 1000 companies. Let me give you examples of what the commercial sector use our services to accomplish. They are interested in issues like are there buyers in cahoots with their suppliers, or is someone sending their critical pricing information out to a competitor, or is intellectual property making its way out the door for some of these activities. That’s the kind of applications that the commercial side is interested in.
ExecutiveBiz: What advice can you give to other companies on how to recruit and retain the best talent in cyber security?
Steve Hawkins: I believe that the individuals that you want to recruit and retain really desire to have a work environment much like the old dotcom environment. We’re sitting here as a major defense contractor; you wouldn’t think that a defense contractor could do that. Our approach to this is we bring these individuals in and we’ll create work cells that are very reminiscent of what you would have seen in a start-up environment: You demand excellence, but you give a little freedom of dress and hours and activities, snacks and things like that. If you can create that kind of environment, you will attract this type of individual.
ExecutiveBiz: What advice can you give to other corporations on how to effectively manage their personnel and training programs to avoid these kinds of leaks?
Steve Hawkins: The most significant threat to corporate America is individuals opening attachments on emails without paying attention to who is sending it to them. That’s where most malware comes from. Of course the antivirus scanners will catch a lot of things, but if it is something new, antivirus scans won’t catch it. From what I’ve seen, we only catch 25 percent to a third of malware. If someone opens that attachment, then they’ve been compromised, and they can compromise other places in your network. I can tell you what we do within our own company: We have an online training module that takes about 50 minutes to go through and every individual goes through that once a year. It addresses all of the low-hanging fruit or the things that you need to look out for or the things that you can do that will eliminate most of that threat. It does make the workforce conscious not to open something from an email address that is a little bit off or from someone that they just don’t know. A little education goes a long way, and we can do it online and with a little quiz at the end that they need to pass to make sure that they really went through it. That type of activity is not difficult to implement, but it pays big dividends.
ExecutiveBiz: What do you think is one thing that every executive should know about cyber security?
Steve Hawkins: The threat today is all about social engineering. The phisher sending those attachments that I talked about wants to find out that you went to a conference, and you were on the mailing list of that conference, so they can get that mailing list and pick five names from it, create an email address that looks something like theirs, and start sending you emails with malware attached. Everyone should be aware at the executive level of the very real threats to their organization and their employees just in their interaction with others. You can’t not interact; you’ve got to do that, but you should be conscious of that type of threat.
ExecutiveBiz: What is something that most people don’t know about you?
Steve Hawkins: I have an engineering background, but since I work out of Texas now and have business operations all over the United States, most people don’t know that I grew up in Charleston, West Virginia. That’s always a surprise to people and we talk about it and just the different experiences there.