Data centers aren't easy to secure, which makes them big targets for hackers. And it's challenging for defenders to keep abreast of near-constant changes in applications and data.

Defending the perimeter of the data center has been a major focus for information security teams. That's important, but keeping track of what's going on inside is also key, says Nathaniel Gleicher, a former U.S. government official who is now head of cybersecurity strategy at Illumio.

In an interview with Information Security Media Group, Gleicher says the best advice comes from Rob Joyce, who is head of the National Security Agency's Tailored Access Operations unit, which specializes in infiltrating networks. Joyce spoke at the Usenix Enigma computer security conference in January. "Sophisticated attackers know the data center, know their target network better than the defenders," Gleicher says. "If the attacker knows your network better than you do, you are already on your back foot and in a very, very difficult position."

Data center administrators have an advantage, though. They control the turf, and there are lessons that can surprisingly be taken from physical security, Gleicher says. A key first step is knowing the data center well and where the most sensitive information is located. Gleicher says no one would try to protect a physical space without a map, yet few organizations have a clear map of what's inside their data center.

"You would never try to defend something you couldn't see, and yet that's generally what we do in the context of cybersecurity," Gleicher says.

In this interview (see audio player below photo), Gleicher also discusses:

Why defending the inside of the data center is just as important as defending the perimeter; Why it's important to understand what's going on inside the data center, creating order from chaos; The importance of segmentation, which can block hackers from moving around if they get inside.

Gleicher is head cybersecurity strategy at Illumio, which specializes in securing data centers and cloud computing applications. Previously, Gleicher was director for cybersecurity strategy on the National Security Council at the White House. The attorney also formerly served as a federal cybercrime prosecutor with the U.S. Department of Justice.

The way the U.S. federal government funds information technology served as a major contributor to last year's breach of computers at the Office of Personnel Management that exposed 21.5 million records, many of which included personally identifiable information of employees and contractors with security clearances, says Federal Chief Information Officer Tony Scott.

Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. "It's a culture of, what I call 'set it and forget it,'" Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. "Go put something in, and then assume your work is done."

Scott says that approach was in play at OPM. "What you have is a recipe for high costs, cost overruns, projects that can't be completed or difficult to start and the whole litany of things that we all know historically have been true," the CIO says. "And, indeed, in OPM we found exactly that. We found there, and across the federal government, when we looked at it, projects that could have been done in one or two years were taking 10 years to do because they couldn't put together enough funding in one budget cycle or two budget cycles to do the needed work.

"And, you know what happens in 10 years: Management changes, priorities change, talent changes, all kinds of things change. So, any project that will take 10 years to do, probably is destined to failure."

In this report (click on player beneath image to listen), you'll hear Scott:

Describe a $3 billion Obama administration initiative to seed a fund that will allow agencies to borrow money to modernize their information technology; Discuss government guidance that requires agencies to be more diligent in assessing IT risk; and Defend OPM's leadership during and after the breach, in which he points out it was the implementation of an IT modernization program that enabled the agency to identify the breach.

Before President Obama tapped Scott to be chief information officer of the United States in February 2015, he led the global information technology group at VMware. Previously, he served as CIO at Microsoft and The Walt Disney Co. and chief technology officer of information systems and services at General Motors.

Internet pioneer Vint Cerf sees a secure future for the network of networks he helped create four decades ago as the co-developer of TCP/IP, the protocol that facilitates internet communications.

"We're much more conscious of the need to make the system more secure than it has been," Cerf, Google's chief internet evangelist, says in an interview with Information Security Media Group. "And there's a lot going on in the Internet Engineering Task Force [an international community of network designers, operators, vendors and researchers] to achieve that objective. And I anticipate in the course of the next decade or so that we will actually see a lot more mechanisms in place in order to enhance security and privacy and safety."

But if internet security isn't improved, Cerf says, "people will decide it's not an environment they find worthy of trust, in which case they'll look for something else. Maybe, something will replace the internet that's more secure than it is today."

And, what would that be?

"I have no clue," Cerf answers.

In the interview conducted after he delivered the Aug. 30 keynote address at a symposium on exploring the dimensions of trustworthiness at the National Institute of Standards and Technology headquarters outside Washington, Cerf discusses:

Balancing security with ease of use in creating new technology; How vulnerabilities and threats that lurk over the internet influence its development; and The concept of creating separate internets to enhance security, safety and reliability.

Cerf has been vice president and chief internet evangelist at Google since October 2005. He's responsible for identifying enabling technologies to support the development of advanced, internet-based products and services. Previously, Cerf served at MCI, the Corporation for National Research Initiatives, the Defense Department's advance research agency known as DARPA and as a member of the Stanford University faculty. He and his colleague at DARPA, Robert Kahn, received the National Medal of Technology from President Bill Clinton in 1997 for founding and developing the internet.

Data Breach , Data Loss , Fraud

Romanian Demonstrated Vulnerability of Web-Based Accounts Jeremy Kirk (jeremy_kirk) • September 2, 2016    

A 44-year-old former Romanian taxi driver with few hacking skills but a knack for guessing his way into the email and social media accounts of celebrities and politicians has been sentenced to serve 52 months in U.S. federal prison.

See Also: Protecting Your Assets Across Applications, Services and Tiers

Marcel Lehel Lazar, who went by the online nickname "Guccifer," pleaded guilty May 25 in U.S. District Court for the Eastern District of Virginia to aggravated identity theft and unauthorized access to a computer.

Lazar's escapades drew attention to the vulnerability of web-based email accounts through low-tech attack methods. He targeted Gmail, Yahoo, Facebook and AOL accounts used by nearly 100 prominent people, gaining access through weak passwords and then accessing their correspondence.

At Lazar's Sept. 1 sentencing, U.S. District Judge James C. Cacheris said a tough penalty was merited to serve as a deterrent as the U.S. grapples with ongoing cyberattacks, according to the The Washington Post (see The Myth of Cybercrime Deterrence).

Among the victims were former Secretary of State Colin Powell and the sister of former President George W. Bush. Lehel released emails and sensitive information from accounts, and in the case of Bush, photographs of self-portraits he'd painted, including one of himself in the bathtub.

Lazar also revealed that Democratic presidential nominee Hillary Clinton used a private email address while secretary of state, fueling a continuing email scandal that plagues her campaign.

Repeat Offender

U.S. prosecutors indicted Lazar in June 2014 just after he was sentenced to four years in Romania for similar offenses. His targets in that country included the former director of Romania's intelligence service, George Cristian Maior.

He was released early to face the U.S. charges and was extradited in April of this year. The U.S. indictment covers Lazar's activity between October 2012 and January 2014. Lazar released information from compromised accounts, including medical and financial information, prosecutors say.

Lazar caused a stir when he spoke to NBC News from a maximum security prison in Bucharest prior to his extradition. In the interview, broadcast in May following his extradition, he made an unsubstantiated claim that he accessed Clinton's private email server and downloaded some material.

Lazar told the broadcaster: "It was like an open orchid on the internet, as many such servers are. There were hundreds of folders with boring stuff, political boring stuff. It was not what I was looking for." The claim was called into question because, unlike other accounts he breached, Lazar didn't release material from Clinton's server.

He said he discovered Clinton's private email address, This email address is being protected from spambots. You need JavaScript enabled to view it., after compromising the email account of Sidney Blumenthal, a longtime adviser to the Clinton family. Lazar, who denied working for a foreign government, passed emails to the Smoking Gun website and Russian state-sponsored broadcaster RT.

Lazar, whose nickname is a portmanteau of Gucci and Lucifer, said during the interview he executed the compromises with a cheap computer and a mobile phone. His intrusions, he said, were intended to expose the Illuminati.

Even if his claim of downloading Clinton material was a fib, it caused even more trouble for the U.S. presidential candidate as she defended the use of a private email server for government business.

Followed by Guccifer 2.0

Guccifer's notoriety prompted another hacker to borrow his moniker this year. In June, someone going by the nickname "Guccifer 2.0" claimed to be the sole hacker who breached the Democratic National Committee's systems. Like the original Guccifer, the successor also released sensitive documents (see Lone Hacker Claims to Have Breached DNC).

Guccifer 2.0 claimed to be Romanian, but the person didn't speak Romanian that well, according to the news site Motherboard. The U.S. government and private security companies suspect Russian intelligence may be behind the Democratic Party hacks, but the country has denied involvement (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).

Password Management Lessons Learned

Although the authentication weaknesses of web-based systems are well known within computer security circles, Lazar's demonstrations from rural Romania brought those faults widespread attention.

It would be nearly impossible these days to be a digital citizen without using web-based servers that authenticate through logins and passwords. The usual mitigation advice continues to apply: Use a strong, unique password and implement two-factor authentication, preferably not over SMS.

Some web services, such as Dropbox and Facebook, can send alerts of a successful login from a never-seen-before device. Sometimes those alerts aren't on by default, though, and need to be activated.

It's also helpful to use a password manager, which makes it feasible to set a unique strong password for many web accounts without having to remember many of them. Most of those applications have password generators, which makes creating strong ones painless.

Of course, that advice applies not just to celebrities and politicians who may be targeted by future Guccifers, but to any internet user.