Cyber security requires faith
2 November 2018 | 0
The cyber security threat to Irish organisations is far from insurmountable, but faith is required.
According to Paul C Dwyer, CEO, Cyber Risk International and chair of the EU Cyber Summit, speaking at the event, faith is required that the security challenge can be met, mostly because, unlike other areas, the tools do not come with a warranty.
“While sometimes it may seem like Mission Impossible, it isn’t – it is worthwhile and fulfilling,” said Dwyer.
Putting the efforts in context, Dwyer said the people working to defeat cancer do not start from the position of thinking it is impossible.
“We need a similar attitude in cyber security,” he said.
Poacher, not game keeper
Taking up the theme, Chuck Georgio, security consultant, NoWheretoHide.org, evoked the story of Sisyphus and his eternal task, saying the job of a CISO is never ending and ever changing. But despite the macro situation being further complicated by the growing Chinese market where 1.1 billion people are expected to be online by 2025, with a further 226 million in Nigeria, and connected devices expected to top 21.5 billion, a change in attitude will help organisations begin to get a handle on the task.
Georgio said that organisations need to think more like the poacher and less like the game keeper. By putting themselves in the shoes of those who would seek to steal from them, security practitioners can envisage how defences might be circumvented or breached, gaining a better understanding of how to organise defences and deploy resources for protection.
Think of the family jewels, said Georgio, and how your data needs to be protected within the organisation, not just leaving it unprotected internally.
He listed 10 key actions as a framework to tackle the security challenge.
Firstly, inventory all assets, digital, data and otherwise, to understand what there is and how it needs to be protected. And in light of recent regulations, revalidate where the data came from and why it is being held. Rationalise the data to reduce the amount that needs to be looked after. Then, if data provenance is not known, or cannot be revalidated, delete it. If data must be held, get permission from the data owners to hold it and use it.
Do not be tempted to use real data for development work, he warned. This opens up all kinds of potential for loss or compromise.
Segment and partition data, restricting access only to those who need it. This avoids all data being vulnerable in the event of a breach, limiting potential damage.
Encrypt all data at rest and in motion, providing further resilience. Establish retention policies and expunge data when no justification can be found for retention, but ensure to do so from all sources.
Use different authentication methods between presentation and data layers to provide further protection in the event of compromise. And finally, as soon as you no longer need data, get rid of it – from everywhere.
Assume the hackers will get in, if not already there, warned Georgio, so protect the data already there – implement privacy by design.
“Give them nothing, leave them nothing, let them see nothing,” he advised.
Where the money is
Citing a famous bank robber who said he robbed banks because that was where the money was, James McNab, director, cyber security, Cisco, stated that data is now where the money is and requires new levels of protection as a result.
In a scenario he described as relentless attackers versus tireless defenders, cyber criminals want to get malware inside organisations to explore and exfiltrate data. They infect organisations through various means, such as drive-by attacks, infected hosts, malicious web links and phishing attacks, and they are getting better at hiding themselves, through the likes of social media.
Those security practitioners tasked with protecting organisations suffer from complexity and orchestration problems. McNab said that some organisations can have up to 50 different tools to configure, manage and orchestrate.
Added to this is the increasing use of encryption by malicious actors, and the situation again seems impossible. McNab said Cisco, in its annual cyber security report, had seen a 268% rise in the use of encryption in malicious attacks.
McNab said that reducing alert fatigue, while properly categorising and prioritising, is critical for security tools.
Nearly half (44%) of security alerts are not investigated, said McNab, and half (49%) of legitimate alerts are not remediated.
“We have got to get better at detecting,” he warned, “and remediating quicker.”
Security as a business enabler, said McNab, should be giving you the edge.
He said that security for business should be like the brakes on a sports car – giving confidence to use all the performance available
Ensuring that security measures do not restrict business, he said, will enable the business to develop and innovate without restriction, and with confidence.