Industry Perspectives

Can we all get serious about cyber security now? Please?

As I read about the recent cyber attacks on United States Office of Personnel Management (OPM) and the possible compromise of the records on millions of Federal workers, it really made me step back and think about all the successful attacks against governments over the last couple of years. White House attacks, US State department attacks, Veterans Administration attacks, DHS attacks, and the list goes on and I’m only listing a few of them in the US Federal space, let alone the vast amount of attacks against other governments. This last attack supposedly compromised the security background information on millions of Federal workers. This is a very serious matter. Why aren't we doing more to stop or at least minimize the impact of these attacks. Its time we get focused on this problem and not push it off into another fiscal year. We need to enable CISOs, CIOs, and all of government leadership to fix this issue with required funding, resources, and authority and definitely, accountability.

What can we do about it? First some simple steps. Realize that your current strategy is not adequate in today’s interconnected world. Your perimeter is mostly gone, data sits in numerous locations and attackers have multiple vectors such as email, web, mobile, and more from which to attack. Many successful compromises today use a couple of different attack vectors and multiple data flows during a single attack to ensure its success. Attackers also use exploits designed for new zero-day vulnerabilities during these large scale attacks to eliminate any chance of the legacy signature based tools from detecting an attack. Most of the security architectures in place today around the world rely on signature based technology to detect an attack. Since those products do not have a signature for a previously unknown zero-day exploit, they are wholly ineffective thwarting attacks as we can see from the continuous media coverage surrounding this issue. We must stop relying on legacy signature based security infrastructures to protect us and realize that breaches are inevitable. Adjust your strategy around this and prepare a pro-active stance in defending your enterprise. Attackers will continue to modify and evolve their tactics and tools to break into our systems. We must continuously evolve our tools, techniques, procedures, and strategy if we’re to keep our data safe.

Increase automated threat intelligence feeds across your enterprise now. Governments have a bad habit of attempting to stovepipe their enterprise systems from each other. Although network segmentation is helpful in slowing attackers, keeping your threat intelligence segmented doesn’t help. You need to share this information in an automated real-time fashion which can help ensure that your counterpart organizations are aware of any attempts to compromise you, giving them the data needed to protect themselves. Realize that we’re all in this together. Even then, remember this isn’t always effective since you could be the initial target however it can help others stop an attack.

Utilize NIST 800-53 Revision 4 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) which gives great guidance on putting in place the proper security controls. Read it and follow it. Although it is a very large and comprehensive document at four hundred and sixty-two pages there’s a good starting point at the Council on Cyber Security’s Top Twenty Critical Security Controls (http://www.counciloncybersecurity.org/critical-controls/). It’s a subset of the controls from 800-53 and can help you take some bite-sized chunks out of the current security infrastructure challenges we have today. Once that’s in place, go back to a review of all the controls from 800-53 and utilize whats applicable in your environment.

Realize that breaches are going to happen and you may be compromised already. Our own data shows that on average, attackers have two-hundred and five days of dwell time in a system. That means that an attacker compromises your organization and it typically goes undetected for over six months. Counter that statistic by creating a team of solid cyber security experts to hunt in your environment for signs of compromise, if you don’t have the expertise to do this, then contract it out to a reputable firm. Ensure you have a well-thought out Incident Response plan and test it repeatedly throughout the year to ensure its ready when a compromise is detected. If your organization doesn’t have the expertise to secure your enterprise, admit that to yourself and seek help from companies or other organizations that can help you. Our data also shows that for most organizations, sixty-nine percent of the time, they never detect a breach and instead are notified by law enforcement or a third party. Don’t wait until you’re reading about your organization’s latest compromise on the front page of the news or the FBI is knocking on your door telling you about it. Please, fix it now.