Dr. Johannes Ullrich, the Dean of Research at SANS Institute speaks to Arabian Reseller about what CXOs need to know about security today
Security is a responsibility that needs to be shared among employees. Do you believe in this statement? Why?
While there is no doubt that ownership of cybersecurity lies with CISOs and their IT departments, a comprehensive security strategy for today’s digitally transformed enterprise requires not just technology, but also a due consideration for people and processes. Employees, even non-IT staff, are an essential element of any cybersecurity strategy and should, therefore, have the awareness and training needed to operate in a manner that does not introduce risk.
The convergence of mobility and cloud has brought forth new areas of compromise. What do CXOs need to know in order to stay ahead of such security threats?
Mobile and Cloud both reduce the physical control an enterprise has over where its data is located. Many organisations do not adequately plan and control their mobile or cloud deployments and as a result, risk exposing their resources. Very often, both cloud and mobile deployments happen because of what has become known as ‘shadow IT’.
This means that parts of the organisation outside of the IT team are signing up for cloud resources or using their own mobile devices for company business, for example, without proper IT approved controls. The result is that confidential data is likely to be stored on improperly configured cloud systems or insecure mobile devices.
We have seen a number of recent high-profile data breaches happening because data was stored on cloud services like Amazon’s S3 service. These services are often ‘open by default’ and any access restrictions need to be specifically configured. In addition, these resources are outside the traditional network perimeter and are not protected by existing controls, like data leakage protection or vulnerability scanning.
Unfortunately, the fact remains that, when it comes to cloud services, even if deployed properly, the impact of their use on incident response and breach recovery is often underestimated. For example, webmail systems often do not provide the same granular logging and auditing capabilities that are commonly enabled for on-premise mail services.
Cloud resources and the deployment of mobile devices need to be carefully planned and controls need to be put in place to properly control what data is allowed to be processed in a cloud environment or on mobile systems. Tokenization is one technology that can be used to reduce the exposure of critical data in these environments. But Tokenization is a complex undertaking and needs the collaboration of all stakeholders to properly identify critical data, label it and find adequate tokenization solutions.
What challenges do companies face when it comes to exposure to security threats?
The tools and security technologies available today can mitigate the large majority of attacks, so it is often a matter of budgets and securing management buy-in. Fortunately, the growing threat of cyber-attacks in recent years has brought security to the forefront of business rather than just IT discussions.
But in this fast-paced environment, it is easy to overlook some basic techniques that have been proven to be effective regardless the threat. Important foundational policies should address proper inventorying of hardware, software, and data. This includes baselining of systems and establishing standard configuration templates for systems in line with best practices.
How can CXOs make sure they have plugged security holes to minimise security risks and implications?
In order to plug security holes, you need first to be aware of their existence. This means identifying the systems and processes most likely to be exploited by attackers. This requires your IT team to be well trained in vulnerability analysis and penetration testing.
Once the most urgent vulnerabilities have been addressed, the company can optimize utilization of its existing cybersecurity investments by investing in the skill sets of its IT team. Well trained security professionals are better equipped to configure and manage existing security investments thereby increasing their effectiveness.
The insider threat is a major concern in today’s business environment. How can this be mitigated?
A recent SANS survey found that 76% of security and IT professionals polled globally felt the greatest potential for damage comes from a possible data breach involving employees or contractors trusted with insider access to sensitive data. 40% worry about insiders acting out of malice; 36% say the risk from insiders who are careless with security or fooled by scams from outside, would do the greatest damage to reputations and bottom lines in the event of an attack. Only 23% predicted the most damage could be done by attackers from the outside.
Technology is obviously an important way to help protect an organisation’s people and data, putting inappropriate security controls. However, this has to be accompanied by a programme of internal security awareness to prevent that 36% of insiders from being tricked into letting a cyber-criminal onto the corporate network.
It is also critical to have an incident response plan in place in the event that a breach does occur. In the same survey, only 18% of respondents said they had formal incident-response plans that include potential insider attacks, 49% said they were developing such a plan; 31% of respondents said they had no formal program in place or preparations to deal with threats from insiders.
Who are the stakeholders the CIO should partner with to make sure insider threats can be minimised?
One of the best ways to make sure employees will not make costly errors with regard to information security is to institute company-wide security-awareness training initiatives that include, but are not limited to, classroom style training sessions, online modular training, security awareness website(s), helpful hints via e-mail or even posters.
These methods can help ensure employees maintain a solid understanding of company security policies, procedures, and best practices. CIOs can look to partner with dedicated cybersecurity training providers as in-house teams often lack the resources, materials, and know-how needed to execute these initiatives.
What are the best practices when it comes to unintentional insiders that might bring forth security issues?
Referring specifically to users who unintentionally jeopardize the security of their organizations’ IT systems, the most common mistakes are infecting the network with malware by visiting malicious websites, disclosing sensitive login information by responding to phishing emails, storing sensitive information on insecure devices or on unauthorized cloud storage platforms, or even exposing corporate data through social engineering attacks. Ignoring or failing to execute the latest security updates also leaves a user at higher risk of being compromised.
Many employees connect their personal devices to their work systems and to corporate wireless networks, and many downloads and run content and applications that are not approved by IT. All of this is complicated by the fact that most don’t have a keen understanding of IT security, and so don’t take necessary precautions when carrying out such activities.
The best way to correct these behaviours is via security awareness training which cover the organization’s policies pertaining to security, data classification and handling, workspace and desktop security, wireless networks, password security, phishing, hoaxes, malware, file sharing and copyright. Such a strong security awareness programme could also include a regular series of spoof phishing emails, sent to employees only and designed to teach staff to be alert to similar external phishing attempts.