November 30th 2018 marks the 30th annual Computer Security Day. Originally launched in 1988, before computing even became mainstream, the day was one of the earliest reminders of the threats facing modern technology and data.
Now, thirty years on, the threats facing organisations’ data are more significant than ever – from ransomware to hacking – while the sensitivity and volume of data grows each year. According to a recent survey conducted by IDC and Zerto, 77% of businesses have experienced a malicious attack in the past 12 months, with 89% of these being successful, demonstrating just how prevalent the security threats businesses are experiencing are. As Shannon Simpson, Cyber Security and Compliance Director at Six Degrees put it: “Cyber-attacks have crossed over into the mainstream, and guarding against security breaches requires constant vigilance throughout your entire business, not just the IT team.”
The case for training
A first step is to consider the human factor. John Williams, Product Manager at Node 4 noted that “regardless of how many layers of protection security experts implement, the weakest link is the people involved.” His solution was to ensure that “employees are fully up to date with the latest security protocols and processes in their company.”
This was a view echoed by Jake Madders, Director at Hyve Managed Hosting who advocates a “back to basics” approach to cyber-security. He commented that, in his experience, people “can mean the difference between malware accessing your system, or not.”
As security professionals, we are acutely aware of the tricks scammers may use – such as emails with fake bank details or ones made to look like they were sent from another company employee. However, it’s important to remember that not all employees are exposed to this on a regular basis. This is why Madders strongly supports “training and education programmes for employees to help empower them to spot anything suspicious from an internal point of view.”
Moving away from a fixed perimeter approach
However, constant vigilance is only one part of the puzzle. Ensuring the right technologies are in place to protect wherever it resides is just as important. In the words of Naaman Hart, Managed Services Security Engineer at Digital Guardian, “a perimeter approach to data protection simply isn’t effective anymore.” This was a sentiment echoed by Todd Kelly, Chief Security Officer at Cradlepoint, who went one step further to emphasise that, when it came to network security as a whole, these approaches were “quickly becoming obsolete”.
Instead, Hart advocated for data-aware advanced threat products, which he says can nullify the effects of mass encryption of files, as well as a comprehensive backup policy, while Kelly advised security professionals to “recommit to trusted security practices when adopting new approaches that leverage wireless, software-defined and cloud technologies.”
A key factor in the move away from fixed perimeter security is the adoption of the cloud and the rise in cloud-based applications. Steve Armstrong, Regional Director at Bitglass stressed that despite such applications making businesses more flexible and efficient, “many of the most popular cloud applications provide little visibility or control over how sensitive data is handled once it is uploaded to the cloud.” One of the primary vulnerabilities that Armstrong highlighted was the problem of misconfiguration such as in Amazon A3 buckets or MongoDB databases, pointing out that “given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered essential for enterprise IT. To do this, Armstrong recommends that organisations should “leverage security technologies such as those provided by the public cloud providers, IDaaS providers and CASBs,” all of which “provide visibility and control over cloud services like AWS.”
In addition, automation technology can help reduce the risk to data, both at rest and in transit, said Neil Barton, CTO at WhereScape. This is because “by limiting or negating the need for manual input, businesses can better protect against security vulnerabilities.” Meanwhile, using automation to take care of the basics can help free up IT staff “to ensure the data infrastructure is delivering results with security top of mind.”
The importance of testing plans and learning from mistakes
Providing IT staff with more time could be critical to one of the most vital aspects of security preparedness – testing. Stephen Moore, Chief Security Strategist at Exabeam commented that “organisations that handle sensitive data must implement constant security checks, as well as rapid incident response and triage when needed.” This was a sentiment also voiced by Paul Parker, Chief Technologist, Federal & National Government at SolarWinds. Speaking about the need for cyber-security in the public sector, Parker noted that “most important is developing and routinely testing your emergency response plan. Much like the UK’s Fire and Rescue Services “practice” fire response and life-saving services, organisations should also practice their network breach response.” His core advice to organisations in the current security threat landscape? “Don’t learn how to extinguish a fire on the fly.”
Finally, a sentiment echoed by several experts was the inevitability of organisations facing a cyber attack at some point in time. Gijsbert Janssen van Doorn, Technology Evangelist at Zerto concluded: “Yes, protection is important; however in a culture where attacks and downtime are no longer a matter of ‘if”, but ‘when’, these precautions are not enough. Organisations also need to be prepared for what happens after a disruption, and will be judged not only on keeping people out and data safe, but also on how quickly they are back to functioning as normal – how resilient they are.” Meanwhile, Parker concluded that, following an attack, “public sector organisations can use the insights garnered from the incident to learn, perfect and prepare for the next one” – a sentiment as true for all businesses those in the public sector.
Thirty years after the first Computer Security Day, it’s clear IT and security professionals find themselves in a much more complicated landscape than their predecessors. However, there is much that can be done to keep data safe, and businesses online – from moving away from the fixed perimeter approach to cybersecurity, to ensuring regular training and plan testing, and even making sure organisations can get back online when something does, inevitably go wrong. The key, across all aspects of security, is preparation.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.