InfoSec is moving on, reacting to threats and attacks
20 November 2013 | 0
There is strong evidence to suggest that businesses are slowly adapting to the new threat landscape, realising that attacks are inevitable, breaches to be expected and assets are not all equal.
These are some of the findings of the PwC “Global State of Information Security Survey 2014” report, based on a survey of more than 9,600 respondents including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 115 countries. Thirty-six percent (36%) of respondents were from North America, 26% from Europe, 21% from Asia Pacific, 16% from South America, and 2% from the Middle East and Africa. The survey was conducted from February to April of 2013 and the report compiled by PwC.
The report states: “This year’s survey indicates that executives are elevating the importance of security. They are heeding the need to fund enhanced security activities and believe that they have substantially improved technology safeguards, processes, and strategies.”
However, there are also warnings that old countermeasures are not sufficient for new threats.
“Organisations often rely on yesterday’s security strategies to fight a largely ineffectual battle against highly skilled adversaries who leverage the threats and technologies of tomorrow.”
“You can’t fight today’s threats with yesterday’s strategies,” said Gary Loveland, PwC Principal. “What’s needed is a new model of information security, one that is driven by knowledge of threats, assets, and the motives and targets of potential adversaries.”
A key influence on the changing attitudes of those tasked with information security is realisation that attacks are inevitable and breaches are to be expected.
“A key tenet of this new approach is an understanding that an attack is all but inevitable, and safeguarding all data at an equally high level is no longer practical,” said the report.
This new understanding is becoming common among CIOs and CISOs who are making these issues board-level issues, ensuring that the right level of support is provided.
“This year’s survey indicates that those we define as leaders are enhancing their capabilities to do just that by implementing policies that elevate security to a top business imperative— not just an IT challenge,” said the report.
However, there are still those that persist with ineffectual countermeasures, primarily because they either do not think that they have been attacked or worse still, do know they have been attacked. And often, those attacks can come from within, sometimes unwittingly.
“One reason why organisations do not have effective plans in place for internal threats is that many classes of insiders, such as partners and suppliers, are invited within network perimeters and a certain level of trust is assumed,” said John Hunt, PwC Principal. “Businesses should understand that trust in advisors should not be implicit.”
But leaders in the field, said the report, have taken steps to increase knowledge and visibility of what is going on within their domain.
“Leaders are more likely to have deployed tools that provide a real-time analysis of suspicious activity logged on network hardware and applications. For instance, 66% of leaders say they have implemented security information and event management (SIEM) technologies,” said the report.
“Similarly, 66% of leaders say they have deployed event correlation tools, which aggregate and correlate information from disparate tools like vulnerability and intrusion monitoring systems. Vulnerability scanning solutions, in place at 71% of leaders, assess networks and applications for weaknesses.”
Irrespective of the tools and technology that are deployed to combat these threats, there is still much to be done on the human side, warns Leonard McAuliffe, director Information Security and Forensics, Pwc Ireland.
“Organisations need to have a holistic approach and strategy for information security and cyberthreats by ensuring people, processes and technology are incorporated into a forward looking threat intelligent information security programme.
“The information security programme should not only implement governance, next generation threat intelligence security systems and robust processes but also create awareness for executives, IT and end users on how to defend against these sophisticated cyberattacks (the human firewall) as they can often be seen as the weak link in defence systems.”
The report also highlighted that there is a growing confidence among CxOs in their ability to meet and defend these threats. Nearly three quarters (74%) said that they have confidence in their security activities to be effective. When asked if this confidence might be a little misplace, McAuliffe said that this needs to be taken in context.
“This is a high level self-assessment and if you look at the data from the survey in more depth, only 17% of respondents have all of the critical success factors for an effective security programme.”
These factors include an overall information security strategy, a CISO who reports to top level leadership, measured security effectiveness and understanding the type of security incidents that have occurred in their organisations.
“Therefore, I believe,” said McAuliffe, “the very high level of confidence maybe misplaced especially when only 17% of organisations have the aforementioned critical success factors in place for an effective information security capability.”
The report showed that there is a rising proportion of people who do not know the frequency of attacks against their organisations, and but there is also a worry that those who think they know the frequency, may be misled.
“I do think that the rising proportion of people who do not know the frequency of attacks against their organisation is accurate,” said McAuliffe. “There are many organisations that do not have the monitoring and threat intelligence systems in place to identify, manage and report information incidents so they may be blissfully unaware of attacks or sensitive data leaving their organisation.”
“When organisations commission us to conduct penetration testing and they don’t inform IT of our testing, many times IT are unaware that we are actually attacking and circumventing their security systems and accessing highly sensitive data. This type of penetration testing is conducted to test their information security systems and highlight any weaknesses found but they may not even be aware we were conducting the testing due to the lack of monitoring systems.”
“Based on the examples outlined,” concluded McAuliffe, “and my experience of providing forensics and incident management services to clients, I think that there are also people who think they know the level of attacks they are under, but are actually experiencing more that are going undetected.”
McAuliffe said that to protect themselves, Irish organisations need to ensure that certain steps are taken. Start with a general health check, he said, which covers governance, people, processes and technology to identify risks to your organisation’s assets and also to benchmark your current state against industry good practice.
Plan a future state for information security based on current and future threats and develop a strategy and security program for the next three years which manages these risks and is aligned with business and IT strategies.
Move away from traditional perimeter and compliance driven re-active controls towards becoming “cyberthreat intelligent” with active and re-active measures in place.
Do not try to protect everything, you should identify your critical and sensitive information assets and concentrate on protecting these assets, advised McAuliffe. It is also important to ensure third parties apply the same level of controls to your organisation’s information assets as you cannot outsource risk.