Industry must let go of outdated infosec ideals
20 June 2016 | 0
“Our users don’t listen to us!” – a common utterance from infosec professionals, according to James Lyne, global cybersecurity specialist, certified instructor at the SANS Institute, and global head of security research, Sophos.
On the contrary, he argues, sometimes they listen too well, and hold onto certain ideas or concepts long after its usefulness.
“Sometimes, as an industry, we do the same – we hold on to outdated ideas,” said Lyne.
“Pay remittance scams are on the rise, and are an effective earner for cybercriminals,” James Lyne, Sophos
These outmoded ideas, Lyne asserts, are stymieing efforts to combat the rapidly evolving threats from today’s cybercriminals.
Lyne described how sophisticated services are now available that mimic the legitimate world, offering support, automation, bespoke services and more. This wave of cyberthreats is industrialised, well organised and needs a change in mindset to begin to tackle it.
He cited the AlphaBay Market, which features stolen credentials for sale, saying it is “trivial” to get into the business of buying stolen credentials. Valid email address and credentials can sell for as little as 25c, which can be used to change reset passwords, and thus begin the chain of identity theft and fraud.
Pay remittance scams are on the rise, he warned, and are an effective earner for cybercriminals. Localised scams are also becoming more frequent, as the criminals learn more and can target very specifically.
“This is the incredibly professional cybercrime industry we are dealing with,” said Lyne. “Cybercrime is a data-driven business – they measure, learn and repeat.”
They also make very clever use of old exploits, he warned.
Rob Corbet, partner, head of Technology and Innovation, Arthur Cox, went through many of the highlights of the upcoming General Data Protection (GDPR) legislation that will come into effect on 25 May 2018.
“In true European fashion, this has not been a fast process,” said Corbet.
The purpose of GDPR, said Corbet, quoting Article 1.2, is to “Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. He added that Article 8(1) of the Charter of Fundamental rights of the EU and Article 16(1) of the EU Treaty say “everyone has the right to the protection of personal data concerning him or her.”
He said the principles from the data protection directive 95/46/EC remain largely intact, but updated in key respects, and significant new sanctions and enforcement regime.
Corbet said the reason for regulation was that single regulation applies everywhere to avoid fragmentation of multiple interpretations of a directive. Despite the fact that there will be national data protection commissioners who will interpret for organisations within their jurisdiction.
He highlighted some key points from the legislation which were new, such as the article 37 requirement for a data protection officer if processing is carried out by a public authority or body; or if core activities consist of regular and systematic monitoring on a large scale or processing on a large scale of special categories of data and data and data relating to criminal convictions and offences.
There was also the need for record keeping under article 30, where it sets out the responsibility of data controllers to maintain records of processing activities under its responsibility.
Corbet pointed out that the article 17 right to be forgotten goes far beyond the Spanish Costeja test case.
He also noted that article 23 sets out the obligations of the controller arising from the principles of data protection by design and by default.
Corbet finished by advising companies to being applying the GPDR to anything they are working on now, thus making ready for the 2018 implementation.
Richard Nichols, senior director, Sales Strategy, EMEA, RSA, described the journey that organisations must embark upon to move from a siloed, reactive security posture based on point solutions, management consoles and basic reporting to one of a mature, fully risk-aware organisation that can make risk-based decisions, with rationalised security plans that can still prioritise the business context.
“The more visibility and analytical capability you have the more your capability to respond, and quicker,” said Nichols.
However, he admitted that most organisations are still only moving from the first stage of reactive posture towards the interim stage of risk aware, though not risk managing.
Dr Ciaran MacMahon, Institute of Cyber Risk, warned of treating the end user as if they were a liability. Echoing Lyne’s assertion of outmoded ideas hampering current efforts, he said that thinking of users as the weakest link in the security chain was not helpful.
“Security is not really a chain – this idea is not serving security,” said Dr MacMahon.
Blaming the person is fudging, it is the easy answer and not helpful in determining what went wrong, he warned. “How can you expect employees to report a data breach when you are working of the assumption that they are stupid and untrustworthy?”
Dr MacMahon said that users must be engaged, educated and trusted.
“Use them to increase security,” he advised.