March 31, 2015
New Perspectives on Cyber Security
by Norman Marks
The first step on cyber security is to get our heads out of the sand and understand that we are all, collectively and individually, at risk.
The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that it has a cyberwarfare capability: not just one unit, but three. Other nations, including the U.S., Japan and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.
What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?
The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014, according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year, and the majority expect to be hacked this year. However, nearly a quarter, according to Fortune, have not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out it had been hacked, and even longer before it knew the extent of the damage.
Organizations need to be ready to respond effectively and fast!
The JPMorgan Chase article reports that, “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”
All is for naught if successful intrusions are not detected and responses are not initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity, but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “over-focusing on prevention and not paying enough attention to detection and response. Organizations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”
Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all itself; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.
What else should we do?
We have to stop using passwords like “password,” the name of a pet or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one. (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)
A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps — both from in-house developers and from external sources.
Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and practical suggestions for improvement.
Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted, and, when there is a breach, very often it’s because the patches have not been applied.
As individuals, we should have a credit-monitoring service (I do), set up alerts for suspicious activity on bank accounts and use all the anti-virus and spam protection that is reasonable to apply.
Finally, as individuals and as organizations, we need to make sure we and our people are alert to hackers’ attempts through malware, social engineering and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.