The Wavelength: Security and Compliance
If security isn’t top of mind for you or your organization right now, it will be after reading this issue. And while compliance may not equal security, the two certainly go hand in hand; compliance is a reflection of security measures within an organization. We’ve got a top-notch panel of experts this month to answer questions and present us with an excellent reality check on both issues.
Hacked emails have been in the news quite a bit recently – how are you protecting your clients (internal and external) against email hacks?
Brett Butler: We create a password policy for our clients. Passwords need to be rotated and need to be complex. We offer several cloud security layers and offer cloud email that is continuously managed with full-time dedicated resources to minimize the exposure to hackers. When our clients use a hosted email platform, they offload infrastructure, updates and management of the system. Small businesses that manage on-premise email systems that are not updated or managed can exacerbate the security threat. When it comes to email hacking, malware and phishing are the biggest threats to hacking into company data.
Stephen Cobb: A multilayered approach to protection works best, combining security software with user education. On the software side, you want properly managed anti-malware installed on all endpoints that interact with email. This is to block infected attachments and infectious links. You should also be running anti-malware on your servers, including email servers. You also need to be monitoring your internal network activity to flag anomalies that might indicate a successful email-enabled hack. The education piece is ongoing and should cut down on the number of people clicking things they shouldn’t. But you need to keep this education fresh – for example, do your employees know to look out for CEO email hacks that try to commit wire fraud? Are your bank wire procedures adequate to prevent this type of attack?
Bobby Dominguez: We recommend a variety of measures for our clients … these are in line with the defense-in-depth paradigm, where you have many layers of protection so that if any one fails, others will still be there to detect or prevent the incident. Some technology controls like DMARC, SPF or DKIM can be used to minimize spoofed emails used in phishing attacks. Awareness training for end users to recognize phishing emails, and also to test their ability to recognize these attempts to compromise credentials or other confidential data are important. Malware detection and prevention through whitelisting, blacklisting, and other anomalous behavior analysis is yet another layer. And finally, you should assume that a breach will occur and your goal will be to detect it as soon as possible to minimize the impact. Detecting a breach when an external party tells you about it or you receive a call from law enforcement is too late.
Cathleen Mohr: In short — education. Hackers are patient and creative, and they exploit our innate willingness to help others and provide good customer service. They use targeted research and social engineering to piece together the puzzle of an individual until there’s enough of a picture to do harm. To mitigate the risk of email credential hacking we cover best practices in digital display messaging, news articles, blogs, and training sessions throughout the year for our internal and external customers.
Who do you think is the more dangerous threat to network security – insiders or outsiders?
Butler: Our CIO recently went to a ransomware conference held by the FBI in downtown Los Angeles. The head of the FBI said to the group, “If I could only buy one thing to protect my data, what would that be?” Firewall, antivirus, anti-malware, security software? He answered the question with, “end user training.” The untrained insider who gets a call from an outsider who says, “Hi, I’m from tech support and need access to your system to troubleshoot why things are running so slow,” just clicks on the link and gives the bad people access to their system. It’s kind of scary that we put all these policies and procedures and infrastructure in place, and the bad guy knocks on the front door and we let them right in.
Cobb: The problem with saying either outsiders or insiders are more dangerous is that you risk underplaying the very real threats from both. For many organizations the threat volume is far greater from the outside, but many of these are relatively easy to deflect. However, as Snowden, and now Martin, have demonstrated at the NSA, a single insider can wreak havoc.
Dominguez: The concept that there are insiders and outsiders may be as misconceived as the belief that there is a perimeter to our networks. As many of the breach reports over the last few years have demonstrated, breaches often occur when valid “insider” accounts are compromised by outsiders. So why do we still make a distinction between outsider and insider? One reason would be to identify motive and methods of compromise for scenario analysis. By understanding the intention and target of the attack, we can develop protection mechanisms. At least that’s the theory. But is there really a difference when a malicious insider or outsider may both use a valid and authenticated account to move laterally within a network, escalate privileges, and perhaps gain access to data and then exfiltrate? The ideal protection mechanisms baseline network, application, and user behaviors of authorized accounts and detect any deviation from those baselines. New security products offering User Behavioral Analytics (UBA) are finally beginning to deliver on the promise of a data-centric security strategy. Combined with protecting data with encryption and access controls, UBA provides a level of monitoring that goes beyond traditional security. When you have a decentralized infrastructure (the cloud) and endpoints that you may not control (BYOD, IoT, etc.), the definition of an insider and outsider may not be as important as it used to be.
Mohr: While outsiders are always on the attack, insiders (including suppliers with access) a lot of times through ignorance or carelessness, are the most dangerous threat to network security. Outsider threats typically require an internal vulnerability be exploited or an unintentional act of an insider to be successful. Many security incidents involve insiders clicking on a link from a whitelisted customer email address that was spoofed, for instance. It’s easy to do when we’re busy and just clicking through, and it only takes one zero-day malware attack to cause serious problems.
Hunter Smith: Many outward-facing technologies exist today that can help identify and protect a company from external threats. However, insider threats also are very dangerous and often overlooked by security programs. These extend beyond malicious activity by an employee; they also include the compromise and exploitation of credentials for internal resources. Insider threats are a challenging set of issues to identify and mitigate, and can vary from company to company.
What is the most common security weakness that you see in today’s business environment?
Butler: Default passwords, passwords on sticky notes, passwords in excel files, and unlocked computers. It’s kind of scary — I set up my Nest thermostat in my house and left the default password in the system and when I was showing our IT people how neat it was to control my heat in my house from twenty miles away, they talked to me about how hackers could get into my Nest, pull my W-iFi password and get into my home computer and then into my office network. As the world gets more connected, people have more and more wide-open, untraditional endpoints to hack into.
Cobb: The most common weakness I see is a failure to understand and think like criminal hackers. Too many firms fail to understand exactly what digital assets the organization needs to protect. Many also fail to fully grasp the quantity and quality of resources and expertise that the bad guys can bring to bear in committing cybercrime against them. Unfortunately, when businesses do grasp the current reality, too many of them run into the other major weakness in today’s business environment: a severe shortage of people with the necessary cybersecurity skills.
Dominguez: Not knowing where your data is. So many security departments jump right into protection routines without really understanding how the business uses that data, where it may reside, and who is accessing it. A good security program starts by understanding the assets you want to protect, determining the risks, and defining the control frameworks you will apply to mitigate those risks. A security program that is just a bunch of technology and processes without the details of data identification and classification is an incomplete program that will leave you with nothing but surprises.
Mohr: The most common security weakness I see has two aspects: the lack of understanding of risk impacts and an overreliance on IT to protect against them. Security needs to be integrated into a company’s risk management function and evolve as threats change and the program matures. It needs to include people, processes and technology. IT may not properly understand the organization’s risk tolerance level or the business priorities. Leaders don’t have time to learn the technical aspects of security or regulations. Neither IT nor the leaders understand the burden to daily business operations. This makes it difficult to right-size the security budget, strategize, implement effective security controls, develop products, and allocate resources. Worse, cybercrime is scary and often unquantifiable, which prompts organizations to spend more on ineffective controls or to spend in ways that are unsustainable.
One option is to create a cross-functional team whose job it is to understand the real risk to your particular company. A leader or consultant with excellent communication skills, a solid IT understanding and strong business acumen will help bridge the gap in this risk picture. There are many proven security planning processes with practical outcomes and tools available. Without a universal security framework or one law that applies to all businesses, it’s necessary to develop a security program that fits your organization’s risk tolerance level, resources, and compliance position. Once you have a plan, it’s easier to adjust, outsource, and adapt.
Is BYOD inescapable at this point, and if so, what security measures can be taken to make it as secure as possible?
Butler: Yes, BYOD is inescapable. Companies need to create policies and infrastructure around this mobile dynamic. It will become increasingly more prevalent for business to supply these mobile devices to the employees so that they can control and manage them, with tracking locations, and remote wipe capabilities. Creating a guest access Wi-Fi for our clients also helps minimize company data exposure to threats.
Dominguez: Absolutely inescapable; millennials demand it, and the reality is that we’re moving to a cyber world that will be made up of an Internet of Things where no one organization will control the infrastructure of where the data resides. With BYOD, the key is a data-centric security strategy that rolls in encryption, authentication, and aggressive monitoring. Concepts like containerization can be used to permit end users to use their device, yet maintain the company assets in a secure and managed “enclave.”
Smith: BYOD is commonplace today, and it’s generally expected as a standard by potential employees. Personal devices present a number of security threats, ranging from data loss to an attack vector into your corporate network. Mobile Device Management (MDM) is the first step towards managing and mitigating the risks associated with BYOD devices, but strong policies, end-user training and proper identity management can help round out your BYOD support strategy.
What should be the goal of any organization when it comes to information security?
Cobb: Organizations must balance the risks inherent in the deployment of digital technology with the benefits to be gained. These risks are not just financial losses and operational disruptions, but also reputational risks that a security breach and/or regulatory sanction entails. I totally get the resistance within companies who see expenditures on information security as a hit to margins and profits, but the hit from a security failure can be huge. I am hopeful that there is growing consumer sentiment in favor of companies that take the lead in data security and privacy. That might make it easier to argue against going full steam ahead with risk-inducing technology projects.
Dominguez: Simplistically, enabling your business to function in an optimal manner identifying and managing risks posed to the business. Manage risks to the extent where those risks that are within your company’s risk appetite are acceptable and retained, and those risks that are not within the risk appetite are avoided, monitored and/or transferred.
Josh Gatka: Studies have shown that attackers typically give up after 90 hours. When it comes to security, the goal for any organization should be to make those 90 hours frustrating and fruitless for attackers. If attackers manage to get past your first line(s) of defense, they should find another layer right behind it. We call this concept “Defense-in-Depth.” Since achieving 100 percent security is nearly impossible, adopting strong defenses at every angle should be the goal.
In your opinion, are most organizations doing enough to protect their most critical business assets from threats and vulnerabilities?
Butler: No, we see many clients react once it’s too late. Businesses need to put a strategy in place to manage data and how it is created, distributed, and archived, so that it lives within a managed system that the business owner has control over. If an employee has sensitive business information on a mobile device and then they quit or get fired, it’s too late to manage that data.
Cobb: The organizational security landscape is very diverse, with some firms doing a really good job of protecting their assets, while others are frankly reckless in their apparent disregard for the consequences of their lack of protections. What I can say for all organizations is that none of them are getting enough protection from the government. While there are some excellent cybersecurity professionals in law enforcement and various regulatory agencies, there are nowhere near enough. Until the fight against cybercrime gets the priority and resources it deserves within our government, companies will continue to take the brunt of each new wave of attacks.
Gatka: It is tough to generalize an entire industry, but I think that there is always room for improvement when it comes to security. When companies suffer a breach, especially large organizations in the public eye, it’s often surprising to find out how easy their vulnerabilities were to exploit. Social engineering attacks (impersonating someone with authority and convincing an employee to do something malicious) remain one of the most highly successful tactics for compromising an organization, and most organizations are not training their employees on how to recognize such an attack. To properly protect your organization, executives should stress the importance of security training for employees to recognize and protect their organization against these threats.
Smith: Most organizations today are only beginning to become security-aware. Historically, most companies would implement a basic security program that focused on technologies like AV and a firewall to prevent security issues. And although these are key components in any modern security portfolio, a well-rounded security program needs to cover and address four key areas — security technology, security operations, audit and compliance, and risk management. The final area that businesses need to focus on to protect their critical assets is backup and business continuity, in the event that other security measures are insufficient.
What’s the one security or compliance issue that makes you lose sleep at night?
Butler: Backup and business continuity. We need to back up email, data, ERP, CRM and system images. Ultimately, clients entrust our organization with their data and how it flows through their systems. We always plan for the worst. We imagine that a catastrophic earthquake, flood or tsunami obliterates the infrastructure we support and we feel confident we can get our clients back up and running when they are ready.
Dominguez: Currently, I am concerned with the threat from nation states and organized cyberwarfare. Cyberwarfare is happening today, but instead of troops taking the brunt of the attacks, private and public institutions are directly on the front lines. Security is not viewed in the same light as warfare because the impact is not a human casualty. However, the potential for loss of human life is there as we become more dependent on information and smart technology – whether in medical devices, self-driving cars, a nuclear power plant, or even a water treatment system. The U.S. government has taken the approach of fighting this war by passing laws forcing those that are attacked to defend themselves – basically, compliance with regulations is the mandate of the government. However, regulations always fight the last war, not the future one. We’ve finally seen the creation of a Cyber Command and law enforcement, and the government is taking a much more active role in the protection of our critical national assets. But the mindset to accept this as a war and not a nuisance has not fully changed yet.
Gatka: Credit cards. I’ve done a lot of research on the new credit card EMV chips for our recent internal security week training. Credit cards are often easy targets of attack because when you swipe your card, your number and expiration date are sent in clear text across the wire. This information is SO easily stolen by attackers. Using the credit card chip ensures that data is encrypted and that only one-time-use transaction codes are sent. Chip-enabled cards have been out for more than a year now yet I am still forced to swipe my credit card at many shops and restaurants. I’d advise more people to adopt chip-enabled cards as soon as possible to decrease the threat of an attack.
Smith: Email exploits are among the most successful cyberattacks, as 91 percent of attacks originate through email today. Phishing and crypto viruses are the primary types of attacks, and in many cases aren’t discovered until after they have been successfully executed.
