Data

Pro

29 May 2013

Enterprise IT security must sit down with business leaders to identify data ‘crown jewels’ to ensure that the right things are protected in the new world of IT security.

Enterprise has for too long been focused on keeping all intruders out, warns Professor Paul Dorey, and so regarded all data as equally valuable in terms of protection measures. But this approach is too expensive and ineffective in the face of today’s threats he said.

Prof Dorey is visiting professor in Information Security at Royal Holloway College, University of London, former CISO at BP plc and group operational risk director for Barclays Bank. He will be in Dublin to speak at Enterprise Technology World in Croke Park on 17-18 June.

 

advertisement



 

Speaking exclusively to ComputerScope, Prof Dorey said the new world of Advanced Persistent Threats (APT) is changing the way that organisations deal with IT security. It is no longer sufficient, he says, to focus on network security, though he is not entirely happy with the term APT.

What’s happened is that we have seen a very different type of threat appear over the last few years."

n the past, says Prof Dorey, IT security was about doing the basics, reporting compliance and the attitude was ‘job done’. The term used is Advanced Persistent Threat, but Prof Dorey maintains that the term ‘advanced’ could well be replaced with ‘adequate’ and that it is the persistent bit that really matters.

They can go on for years," he warns.

The level of infiltration is far higher as the duration can be so long, and so the potential damage done is higher too, said Prof Dorey. The Verizon 2013 Data Breach Investigations Report said that the average time to discovery of a data breach was 211 days.

dded to this, Prof Dorey said that there may be a lot of lateral movement within the organisation once they get in.
"It is a significant task to detect these and deal with them."

ith all this in mind, Prof Dorey said that attitudes must change to deal with these realities.
"The shift is from success being declared as prevention, to success being declared as detection and rapid response."

There are three types of companies in the world in dealing with computer security. The first are still in the very unaware phase where they are struggling with what to do, with poor support from management. Then the second tier are scoring green on the charts, they have done their audits, they have done their reviews, scanned their system and are reporting a very healthy compliance state. And then there are those in the third tier who are the best in the world in terms of security and they all say they have been penetrated and are dealing with it."
"The middle bunch is living in a very unaware state."

In the past, organisations thought that if they were not themselves a big bank or defence company, then they would not be a target for attack, but recent experiences have shown that smaller players are often a mere stepping stone to a larger target.

f you are on the supply chain to a big company, you could become a target. And often these companies can be quite small, such as a legal firm. These small companies can be a soft option to gain access higher up the chain.
"If your customer is the target of the attacker, then you could be the route in," says Prof Dorey.

nother change in attitude is slowly coming about where it is healthier for people to talk about their security experiences and admit when there have been problems.

If you haven’t seen an attack, it means you haven’t seen it, not that it isn’t there."

Once organisations realise that attacks are happening and penetration has more than likely occurred, management of the situation becomes critical to maintain reputation.

Crisis management 101 tells us to declare your problem early and let people know that you are dealing with it is the best course of action, no matter who you are."

"Cover up always ends up in a very bad place," states Prof Dorey.

"The world of compliance says ‘what are my weaknesses and what have I done to fix them?’, whereas the world of the cyberthreat says ‘what are my attackers going to try to do?’ and ‘how would I outsmart them?’ That’s quite a step change as we are starting to enter the world of intelligence."

It is very important that organisations share intelligence as what was successful in one place will be used elsewhere, so by sharing experiences, it can help prevent these tactics being successful again.

"What we have to do is to protect the data, and not the networks to the same extent," said Prof Dorey. "That does not mean that we ignore network protection but rather that network protection is insufficient in itself."

"We have to know what data matters to us, because we can’t protect everything. That is the big challenge of IT and security teams, because quite often, they don’t have the business insight into what really matters."

It requires sitting down with the business leaders and asking what really matters, and putting a value on this information.

"At that point, they start to produce a ‘crown jewels’ list and then you are back to security basics which is to put the stuff that matters inside the castle, inside the keep and lock up the data. The other less sensitive data can then be made as freely available as possible."

TechCentral Reporters

Read More:


Back to Top ↑