Building a cybersecurity strategy
12 March 2018 | 0
Cybersecurity can be defined as the practice of ensuring the integrity, confidentiality and availability (ICA) of information. It represents the ability to defend against and recover from accidents such as hard drive failures or power outages, and from attacks by adversaries. The latter includes everyone from script kiddies to hackers and criminal groups capable of executing advanced persistent threats (APTs), and they pose serious threats to the enterprise. Business continuity and disaster recovery planning are every bit as critical to cybersecurity as application and network security.
“A good cybersecurity strategy needs to go beyond basics . Sophisticated hackers can circumvent most defences, and the attack surface is expanding for most companies”
Security should be foremost in minds across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cybersecurity controls. Management should see that all systems are built to certain security standards and that employees are properly trained. All code, for example, has bugs, and some of those bugs are security flaws. Developers are only human, after all.
The human is always the weakest element in any cybersecurity programme. Training developers to code securely, training operations staff to prioritise a strong security posture, training end users to spot phishing emails and social engineering attacks — cybersecurity begins with awareness.
All companies will experience some kind of cyberattack, even if strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable by performing basic security tasks, sometimes referred to as “cyber hygiene.” A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cybersecurity care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible.
A good cybersecurity strategy needs to go beyond these basics, though. Sophisticated hackers can circumvent most defences, and the attack surface — the number of ways or “vectors” an attacker can gain entry to a system — is expanding for most companies. For example, the information and the physical world are merging, and criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, medical devices, even your IoT fridge. Similarly, the trends toward cloud computing, bring your own device (BYOD) policies in the workplace, and the burgeoning internet of things (IoT) create new challenges. Defending these systems has never been more important.
Further complicating cybersecurity is the regulatory climate around consumer privacy. Compliance with stringent regulatory frameworks like the European Union’s General Data Protection Regulation (GDPR) also demands new kinds of roles to ensure that organisations meet the privacy and security mandates of the GDPR and other regulations.
As a result, growing demand for cybersecurity professionals has hiring managers struggling to fill positions with qualified candidates. That struggle requires organisations to have a sharp focus on areas of greatest risk.
Types of cybersecurity
The scope of cybersecurity is broad. The core areas are described below, and any good cybersecurity strategy should take them all into account.
Critical infrastructure: Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyberattacks. The solution for organisations responsible for critical infrastructure is to perform due diligence to protect understand the vulnerabilities and protect against them. Everyone else should evaluate how an attack on critical infrastructure they depend on might affect them and then develop a contingency plan.
Network security: Network security guards against unauthorised intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity.
Tools used to monitor network security generate a lot of data — so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learning to flag abnormal traffic and alert to threats in real time.
Cloud security: The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains: Moving to the cloud is not a panacea for performing due diligence when it comes to cybersecurity.
Application security: Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organisations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing and penetration testing.
Rapid application development and deployment to the cloud has seen the advent of DevOps as a new discipline. DevOps teams typically prioritise business needs over security, a focus that will likely change given the proliferation of threats.
Internet of things security
The Internet of Things (IoT) refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers and security cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society.
Types of cyber threats
Common cyber threats fall under three general categories:
Attacks on confidentiality: Stealing, or rather copying, a target’s personal information is how many cyberattacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation-state spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain.
Attacks on integrity: Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.
Attacks on availability: Preventing a target from accessing their data is most frequently seen today in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target’s data and demands a ransom to decrypt it. A denial-of-service attack, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable.
The following describes the means by which these attacks are carried out.
Attackers are not going to hack a computer if they can hack a human instead. Socially engineered malware, often used to deliver ransomware, is the No. 1 method of attack (not a buffer overflow, misconfiguration, or advanced exploit). An end-user is tricked into running a Trojan horse program, often from a website they trust and visit often. Ongoing user education is the best countermeasure against this attack.
Sometimes the best way to steal someone’s password is to trick them into revealing it This accounts for the spectacular success of phishing. Even smart users, well-trained in security, can fall for a phishing attack. That is why the best defence is two-factor authentication (2FA) — a stolen password is worthless to an attacker without a second factor, such as hardware security token, or soft token authenticator app on the user’s phone.
It is hard to blame your enterprise if an attacker deploys a zero-day exploit against you, but failure to patch looks a lot like failure to perform due diligence. If months and years pass after disclosure of a vulnerability, and your enterprise has not applied that security patch, you open yourself to accusations of negligence. Patch, patch, patch.
Social media threats
Catfishing is not just for the dating scene. Believable sock puppet accounts can worm their way through your LinkedIn network. If someone who knows 100 of your professional contacts strikes up a conversation about your work, are you going to think it strange? Loose lips sink ships. Expect social media espionage, of both the industrial and nation-state variety.
Advanced persistent threats
Speaking of nation-state adversaries, your enterprise has them. Don’t be surprised if multiple APTs are playing hide-and-go-seek on your corporate network. If you’re doing anything remotely interesting to someone, anywhere, you need to consider your security posture against sophisticated APTs. Nowhere is this truer than in the technology space, an industry rich with valuable intellectual property many criminals and nations will not scruple to steal.
Executing a strong cybersecurity strategy requires you have the right people in place. The demand for professional cybersecurity folk has never been higher, from the C-suite down to the security engineers working on the front lines. Security leaders have elbowed their way into the C-suite and boardrooms, as protecting company data becomes mission critical for organisations. A chief security officer (CSO) or chief information security officer (CISO) is now a core management position that any serious organisation must have.
Roles have also grown more specialised. The days of the generalist security analyst are fading fast. Today a penetration tester might focus on application security, or network security, or phishing users to test security awareness. Incident response may see you on call 24/7. The following roles are the foundation of any security team.
The CISO is a C-level management executive who oversees the operations of an organisation’s IT security department and related staff. The CISO directs and manages strategy, operations, and the budget to protect an organisation’s information assets.
Also referred to as cybersecurity analyst, data security analyst, information systems security analyst, or IT security analyst, this role typically has these responsibilities:
- Plan, implement and upgrade security measures and controls
- Protect digital files and information systems against unauthorised access, modification or destruction
- Maintain data and monitor security access
- Conduct internal and external security audits
- Manage network, intrusion detection and prevention systems
- Analyse security breaches to determine their root cause
- Define, implement and maintain corporate security policies
- Coordinate security plans with outside vendors
A good information security architect straddles the business and technical worlds. While the role can vary in the details by industry, is that of a senior-level employee responsible to plan, analyse, design, configure, test, implement, maintain, and support an organisation’s computer and network security infrastructure. This requires knowing the business with a comprehensive awareness of its technology and information needs.
The security engineer is on the front line of protecting a company’s assets from threats. The job requires strong technical, organisational and communication skills. IT security engineer is a relatively new job title. Its focus is on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; working on operational data centre systems and networks; helping the organisation understand advanced cyber threats; and helping to create strategies to protect those networks.
IDG News Service