Humans can’t be patched – how businesses should be integrating IT security at board levelTweet
By Mark Steel, CEO at Cyber Security EXPO (8-9 Oct 2014)
2014 so far has seen an upsurge in public awareness of cybercrime, with a flurry of high-profile security breaches hitting the headlines; the sensationalised coverage of the Heartbleed and Shellshock bugs struck fear into the hearts of businesses and consumers alike, while a cyber-attack to eBay led to the theft of around 145 million usernames and encrypted e-mail addresses, proving that an organisation is never too big to fall prey to cybercriminals. And these breaches are not likely to subside anytime soon. Indeed, a recent Experian report predicts that the number of breaches will continue to rise in coming years and SafeNet observes that in Q1 2014, records stolen increased by 233% compared to the same time last year. With more communication, sensitive data transfers and transactions taking place online than ever before, the potential spoils for successful cyber-criminals are rich. For example, the London Stock Exchange has indicated that in the UK alone, nearly £125 trillion is traded electronically each month, making us a significant target for cyber-attacks. For this reason, the prospect of a breach is now a ‘when’ not an ‘if’, and “the steady rate of breaches reminds us that organisations must plan for failure”, says John Bruce, CEO of Co3 Systems.
The problem remains, however, that risk is usually only managed at board level once a major attack has taken place, which, besides being by far the most expensive way to resolve such problems, is neither logical nor sustainable; when US retailer Target was hit by a data breach in September 2013, its profits fell by 46% and the cost of dealing with the crisis were estimated to be $61 million. If breaches are to continue to happen, then cybercrime must be tackled from the top down in a proactive and strategic way in order to prevent such crippling financial and reputational damage from occurring on a regular basis.
So why are businesses still failing to implement efficient, functional IT security strategies? The issue is multifaceted, but there are several obvious barriers to the prevention of both targeted and opportunistic attacks. Overall, there is a need for a significant shift in business culture from regarding IT security as something ‘best left to the experts’ to something that permeates the heart of a company’s culture, including its policy and its people.
As we are in the midst of Cyber Security EXPO and in such a complex landscape, I thought I would bring together some of the companies that have been exhibiting at the EXPO to discuss how to operationalise IT security and integrate it at board level.
Effective IT security depends much less on technology than most managers might think – while investment in the right software is important, a lack of ownership over the potential for human error means companies are setting themselves up for eventual failure. “Having a secure network, though essential, is only part of an organisation’s ability to operate an effective IT security process. After all, any cyber-attack is born from a weak link in the security chain,” says Terry Greer-King, Director, Cyber Security, Cisco UKI. These ‘weak links’ can manifest in various forms, ranging from an employee’s benign ignorance of company IT policy to full-blown ‘social engineering’ of employees by malicious outsiders.
“We are already seeing a movement from “hacking the computer” to “hacking the user,”, says Giovanni Vigna, CTO at Lastline. “This is because attackers always use the path of least resistance, and it is becoming easier to trick a user into installing malware than performing a remote compromise, especially in the case of targeted attacks. The best way to defend against this is user education, and the challenge is to make the concepts of deception and trust understandable to non-technical people.”
Indeed, many of the measures employed by well-meaning managers run counter to the way ordinary human beings actually think and behave. For example, long, randomly-generated passwords may be successful in confounding hackers, but the majority of people simply won’t be able to remember them, which leads to writing them down – thereby undermining the very concept of a secure password in the first place. “When people act inappropriately most organisations coordinate their response the same way they have for the last fifteen years: email, spreadsheets and ticketing systems. The proliferation of data, increasingly sophisticated attacks and mounting regulatory requirements have rendered these manual approaches completely ineffective. Important actions fall through the cracks and subject organisations to unnecessary risk,” adds John Bruce, CEO of Co3 Systems.
The unfortunate truth is, technology simply cannot protect companies against these very human problems – and outmoded ways of dealing with transgressions within organisations are no longer working. David Emm, Principal Security Researcher at Kaspersky, believes the first step in the right direction is to work with human nature rather than against it, and “demystify security issues, explaining them to staff in an easy to understand manner. This means varied forms of communication – written and verbal – as well as including the usual catalogue of do’s and don’ts for staff to follow.”
While humans are undoubtedly organisations’ weakest link, they can also provide a way to solve the problems they create through the analysis of available data, suggests Uri Rivner, VP Business Development and Cyber Strategy at BioCatch: “Creating a baseline of a user activity, their interactions, habits, choices and behaviour, is now achievable. Intruder detection, once in the realm of network and content analysis, will become a human analysis task instead. New technologies based on Big Data analytics and behind-the-scenes cognitive biometrics are paving the path to a new defence doctrine that will detect human actions, locate anomalies and analyse their risk in real-time.” Ross Dyer, Technical Director, Trend Micro UK, adds, “Organisations will start to focus heavily on analytics that provide a view of security at any given moment and not just rely on yearly audits or pen tests. Understanding your posture at a given time is critical to being able to respond to threats, protect your sensitive data and meet compliance requirements.”
The threat from humans is nothing new, but recent technology has given rise to a new level of cyber risk, argues Uri Rivner: “State sponsored attackers have been penetrating thousands of targets in the last five years, and every major corporation should assume someone is already operating within their systems. But two other tidal waves have hit IT: mobility and cloud.”
The proliferation of smartphone and their associated third-party apps – which are often woefully insecure, as illustrated by recent research showing that up to 90% of mobile banking apps contained vulnerabilities – has meant that enthusiastic mobile users are making breaches easier for opportunistic hackers. Uri Rivner continues: “Users bring their own devices, demand unlimited access, and will always seek the path of least security, because it’s typically also the path of least friction. Humans can’t be patched, easily fall for social engineering, and in 99% of external intrusions will be the gateway through which an attacker gains access into the network. They also pose an enormous insider threat.”
Rupert Clayson, Regional Sales Director UK & Ireland at Fortinet, adds, “In the era of Advanced Persistent Threats (APT), malware attacks are more subtle, intelligent and dangerous. These APTs are aided by the rapid uptake of new ways of working such as BYOD, social and collaboration tools, where users’ endpoints are also used for non-business use. This personal interaction with technology is increasingly the front line, and something as simple as a link on Facebook to an infected webpage can prove the entry point into an organisation’s network.”
However sophisticated a piece of IT security technology, the fight against cyber-crime is one where the attackers will, by default, always be a step ahead of the victims – meaning that even a multi-layered enterprise security system with patches religiously kept up to date will have a weakness somewhere that can be exploited. Gartner has estimated that on a typical corporate network, around one in 20 pieces of executable code is malware that has managed to escape all technical controls.
“Traditional IT security defences and point products are no longer adequate in this changing consumerised landscape, but policing people and curbing employee’s preferred working methods is not the answer – the rise of BYOD is testament to that,” continues Rupert Clayson at Fortinet. “Instead there’s an increasing urgency to adopt a more modern and intelligent approach to threat detection and remediation, that adds holistic visibility and granular control across every device, app and network, without limiting user behaviour.”
POLICY AND STRATEGY
Perhaps it is the sheer speed at which the level of device connectivity has exploded throughout the IT world, or maybe it is down to the commodification of hacking tools being too widespread for top-level management to keep up with, but intelligent integration of IT security within organisations is sorely lacking in the face of so many threats. Many companies purport to have taken all necessary measures to prevent a breach, when in fact most of them have simply bought expensive new software without taking a strategic, nuanced approach to protecting themselves.
Kurt Glazemakers, SVP Product Strategy at Cryptzone, sums up the current disparity between reality and the realm of electronic communications: “At the moment, the way information security is applied is vastly different from what happens in the real world. Imagine this scenario – someone arrives at the front door, waving an ID card that they’ve picked up off the street and no-one compares it against their physical appearance before letting them through. Having successfully gained access, would the imposter then be allowed to open all cupboards and rifle through drawers, even in areas where they really should be, challenged?”
“However, when you transfer this scenario into current IT security thinking – that stranger, having first presented their ID at the front door (user credentials), is now allowed to go wherever the identity is allowed to go, and do whatever it’s allowed to do, even if this is out of character, without arousing suspicion or being challenged again.” He continues, “For organisations to operationalise IT security requires a complete rethink to the way data and networks are secured – what we call a ‘zero-trust’ security model. While that might seem drastic, it doesn’t mean everything has to change; just the way we think about, and apply, security in the enterprise. A zero-trust security model will naturally move organisations away from securing things, like networks and devices, to looking at context in order to secure the actions of users.”
Prioritising which critical assets deserve the most vigilant protection is a far more worthwhile endeavour for managers than trying to defend against every single threat. Like a shopkeeper who keeps his most valuable products in locked glass cabinets where he can see them – and accepts that schoolchildren may shoplift packets of chewing gum – the approach to cyber security must be flexible, practical and based in reality rather than idealism. Ifeanyi Nwabueze, Technical Consultant at F-Secure, describes this mind-set as “managing the network assets in a state of “presumed breach”” – that is, accepting that a breach will probably happen at some point, understanding the realities of the threat, and anticipating what will be needed to neutralise it.
Resourcing must play a key part in a good security strategy, but a lack of available talent still poses a challenge to management, says Thomas Owen, Security Manager at Memset. “There are far more security-focused jobs than people. That’s why it’s important to back the people up with an automation and data aggregation framework to act as a force multiplier. A few key security hires can have a disproportionate impact.” “For organisations that can afford to, hire an Information Security Manager or an Information Security Management Service Provider,” advises Ifeanyi Nwabueze.
Going forward, board level decisions regarding IT security may even need to extend to the recruitment process, complete with employee incentives, in order to place education about procedures, risks and consequences at the very heart of organisations. This measure, together with nuanced analysis of existing employee behaviours and learning from the patterns of previous security breaches to anticipate future problems.
Ultimately, however, human weakness will be nearly impossible to eradicate completely – “We are psychologically designed to be helpful, empathic, kind, communicative, merciful, all perfectly admirable qualities that can be used to model, predict and exploit behaviour” says Thomas Owen, Security Manager at Memset. “The spend required to audit and reconfigure a network is definable and can be related to the positive impact of the work, but it’s vastly more difficult to metricise an effort to ‘secure the human.”
As cyber-attacks are increasing in frequency, magnitude and complexity, adversaries are committed to finding weak links and using them to their full advantage. That is why Cyber Security EXPO, co-located with IP EXPO Europe and Data Centre EXPO, has organised a wide range of activities such as The Cyber Hack, a new live open source security lab, that gives professionals hands on experience of defeating cyber-attacks. 80% of our attendees come with a specific interest in security content, so we have invested in tripling the amount of expert security speakers to give this side of the event its own identity. Now we can discuss the challenges, trends and cyber security solutions in context with the rest of the IT infrastructure stack. This makes perfect sense for IP EXPO Europe’s delegates and for security specialists alike as they can interact with professionals working with the Cloud, data centre technologies and IT infrastructure too.
In line with this organisational shift, Cyber Security EXPO is delving deeper into what you need to know about your own systems and defences. In its last day, you can still register for the EXPO at www.cybersec-expo.com