Predicting Network Break-ins
What’s it like to manage security for the largest marketplace—and biggest phishing target—in the world? Dave Cullinane’s CISO role spans eBay Marketplaces, including 21 additional eBay properties such as Shopping.com. He also works closely with the CISOs of Skype and PayPal. Cullinane joined eBay last year, having previously served as the CISO for Washington Mutual. He has more than 30 years of security experience. ITsecurity.com recently interviewed Cullinane on e-commerce security trends.Related Stories:2007 Security By the NumbersEmail Security Comparison GuideIntrusion Detection System EssentialsThe Top 5 Internal Security Threats
ITsecurity.com: Enterprises are talking about pushing for a more proactive approach to security. What’s your take on that?Cullinane: Being proactive is certainly one of the things we need to do. What we are trying to do is move to a predictive model. We are trying to look at what is known out there in terms of what threats are viable … and find a predictive model. We can research what can potentially be done about how the threat model is changing, and how the technology is changing, and build things that are much harder to break and compromise.ITsecurity.com: What are the key technologies in that regard?Cullinane: Technology-wise, there are a lot of very interesting things going on. Most of it seems to be around authentication and authorization. We just recently announced the PayPal Security Key you can use to log into accounts. We look into things that are generally referred to as machine ID and fraud detection tools.There are also a couple of new technologies in the industry that create a biometric of how you type in your user name and password – the intervals between the keys and how hard you hit the keys. Looking at things like that would allow us to get much more granular in determining that it is really you.ITsecurity.com: What type of attack do you view as the most dangerous at the moment?Cullinane: I don’t think it is any one attack. I think it is the sophistication of what is happening with the attacks. We are getting reports telling us that there are hundreds and thousands of variations of crimeware being created. The antivirus vendors are having a hard time keeping up with that. The level of sophistication of what is happening is probably the biggest issue right now, rather than any one particular type of attack.ITsecurity.com: Is the increasing sophistication of attacks causing organizations to band together to develop solutions?Cullinane: That’s actually been going on for quite a while – the Anti-Phishing Work Group, for example. Most of the banks – including the one I was at – learned a lot about phishing by watching eBay. There’s I-4 [International Information Integrity Institute] and the Identity Theft Technology Council. Those have been in place for a while.We had Red Team eBay in February. We brought together similar companies … in electronic commerce and many of the major security vendors and did an extensive 2-day exercise on what the threat looks like and what can we do together to address some of the problems. We sent a large contingent of security folks to eBay Live! They were there not only to talk about how [community members] can protect themselves more effectively, but to get feedback from them on what they are seeing and what they need and what type of security measure they would be comfortable using.We are also doing quite a bit of work with Stanford University and their research department. We are doing some work with Carnegie Mellon, and we are looking at doing some work with Cambridge University in the U.K.ITsecurity.com: What are some ground rules for managing security collaboration with other organizations?Cullinane: The primary issue is getting the trust established. The Anti-Phishing Working Group was useful because we were very careful to keep it closed at the beginning. We wouldn’t have to worry about information leaking out and embarrassing somebody. I-4 has very strict confidentiality and non-disclosure agreements.ITsecurity.com: I’ve noticed that large enterprises often work with security start-ups. Does eBay work with any start-up vendors in the security area?Cullinane: We look at the spectrum of things that are out there and look for things that can help us. We work with start-ups as well as more established companies. We worked with a company that came in with what looked to be sophisticated denial of service [prevention] product a couple of years ago.One of the issues with eBay is the volume of things that happen on our sites. This particular solution looked pretty good, but couldn’t quite scale to what we needed it to. We partnered with the company to build a solution that met our needs. We will partner with companies … in the Proven at eBay program -- that will help us address some problem we are having -- and make their product more robust and effective at the same time. We are actually setting that up right now.