Essential guide to security: Rethinking your defence
High-profile hacktivist attacks and data breaches may grab the headlines, but IT leaders should concentrate on rethinking their cybersecurity
In the past two years, a slew of organisations from Sony to the Serious Organised Crime Office (SOCA) have been hit by high-profile security breaches and attacks on systems. At the same time, sensitive personal data has been compromised through negligence, such as in the recently reported loss of USB sticks containing unencrypted NHS patient data.
It has become abundantly clear that for all the corporate and government focus on compliance, security and resilience, in many areas organisations’ information security strategy is failing them – as well as those customers whose sensitive information they store and process.
As technology and business step forward, so CIOs must continually step back and understand what any changes mean for their organisational systems, processes and policies. Today, there are few areas where this is truer than in the realm of information security.
Reports of breaches have moved beyond the online messageboards and into the maelstrom of mainstream media. Audacious attacks, damaging data breaches and arrests of hacktivist “leaders” (a term that exposes a misunderstanding about the decentralised nature of such groups) have hit the headlines, prompting a barrage of questions (but few satisfactory answers).
Some have advocated cracking down hard on those apprehended to set an example to other would-be intruders; others have railed at the negligence and incompetence of the organisations that allowed confidential information to be exposed. The headline attacks also helped spur the government’s resolve to introduce internet monitoring proposals in the Queen’s Speech, a measure which most close to the subject believe will be ineffective at combating genuine threats.
But while the actions of Anonymous, Lulzsec and other hacktivists have shone the spotlight on organisations’ information security, that spotlight is also revealing more worrying issues.
Chris Potter, a partner at PwC and co-author of last month’s government-backed Information Security Breaches Survey report, says: “Some people characterised 2011 as the year of the hacktivist and that’s certainly a factor in the doubling of breaches we’ve seen over the past two years. However, the most serious attacks don’t come from hacktivists. Generally, these more public attacks are distributed denial of service (DDoS) attacks designed to bring down a website by bombarding it with requests. Far more serious, though, are the increasing attempts to steal corporate information or commit fraud.”
Meanwhile, among (and within) public- and private-sector organisations, debates have raged over the best way to tackle the problems. To many, it’s clear the common technological approach to security – which centres on protecting the perimeter of the organisation with firewalls and anti-malware scanners, while ensuring all systems are continually patched and up-to-date – is no longer effective.
“Zero day” threats – exploits based on software vulnerabilities or malware that hasn’t yet been added to the defending software’s signature database – are always going to be favoured by serious attackers. Malware is becoming increasingly sophisticated, easy to use and hard to detect. “Botnets” of compromised (often consumer-owned) PCs can be remotely commanded to do the attackers’ process-intensive bidding.
Essential guide to security: Rethinking your defence
High-profile hacktivist attacks and data breaches may grab the headlines, but IT leaders should concentrate on rethinking their cybersecurity
The security challenge is growing on other fronts, too. The tide of consumerisation continues to sweep through our organisations and workers are increasingly seeking access to business systems and information via ever-more-powerful mobile devices that often do not come under the remit of an organisation’s security policies. Users also want to use social media, web applications and cloud services, which introduce yet more problems for those tasked with maintaining information security. There are now so many ways to bypass standard defences that a growing number of people think many organisations need to rethink their entire approach to security.
Advanced threats and evasion techniques
At last month’s Infosecurity Show, much of the talk was around advanced persistent threats and advanced evasion techniques (APT/AET). APT refers to the continual probing of a target company’s defences using multiple vectors and ever-changing techniques and technologies until a point of entry is found, usually by organised groups such as foreign governments or criminal gangs.
The techniques involved can vary from automated scanning to social engineering to finding a way in via the extended supply chain. AET, meanwhile, is about the tactics attackers use to hide their presence once they have access to an organisation’s systems. In his keynote address, Spencer Mott, chief information security office (CISO) of videogames developer Electronic Arts, said: “Eventually this will pose a threat to any significant business, although the big global brands with the most ‘interesting’ things to steal are going to be affected most.”
Vendors of security technologies have responded by aggressively marketing solutions that they claim can protect against APT/AET. But while the threats may be real, most seasoned information security professionals see the profusion of proffered “silver bullet” solutions as little more than the latest round of industry hype. No technology can blast away all the threats.
Process, people, technology
Effective security is, as it always has been, about a combination of solid risk assessment, rigorous design (and continual review) of policies and processes, thorough technical security when designing and testing systems and websites, ongoing programmes to ensure users understand their role in minimising threats and, yes, judicious use of appropriate security technologies including anti-malware, access controls, event logging, authentication, encryption and others (but only as part of that broader strategy).
One way that many organisations seek to guarantee that they have struck the right balance of process, people and technology is by working to become accredited in a formal security standard, such as ISO 27001. In the case of some sectors, these are mandatory, such as the PCI-DSS standard for the payments card industry. Yet many of the organisations hit by breaches have been certified in one or more of these standards.
Professor John Walker is an independent cybersecurity consultant and academic who has advised countless corporations and government organisations, including such bastions of security as GCHQ and the CIA. “Where one encounters ISO 27001 certifications being issued to organisations whose information security is based more on smoke and mirrors than robust strategy, one starts to understand why attacks are so rife and successful,” he says.
“Likewise, PCI-DSS was born for the right reasons, to provide security to the card-using public. However, over the years, use of the standard has evolved into a science of tick-box security focused on dashboard reporting rather than on underpinning robust technical security. This is evidenced by the multiple failures in PCI-DSS-compliant organisations, such as the recent debacle of Barclays deploying insecure contactless payment cards.”
Essential guide to security: Rethinking your defence
High-profile hacktivist attacks and data breaches may grab the headlines, but IT leaders should concentrate on rethinking their cybersecurity
The financial services industry, of course, faces a greater risk of attack than most sectors and is subject to greater scrutiny. It has undoubtedly made significant strides to improve security, spending around 10 per cent of its IT budget on the endeavour (a figure matched only by telecoms and manufacturing), according to the 2012 Information Security Breaches report.
It has also led the way in terms of improving user authentication controls, detecting fraud (both internal and external) and educating customers about security threats. Such a response has largely been borne of commercial necessity. As the survey notes, financial services is the sector most affected by customer impersonation and identity fraud. “Criminals currently appear to find it easier to make money by impersonating the customers of banks,” it states.
In his keynote speech at the Infosecurity Show, Minister of State for Universities and Science David Willetts, whose remit includes cybersecurity, praised the sector for its “attitude shift”, noting that in recent years there had been a sea change in financial services companies’ willingness to co-operate with one another in order to understand and combat threats better and faster. He urged other sectors of the economy to take a similar approach and share information on attacks, as well as to work collaboratively across the public and private sectors to improve defences.
Different sectors face different levels and types of threat, of course. Most of the successful incursions into company systems and networks could have been avoided if companies had just got the infosecurity basics right.
Professor Walker says organisations have for too long ignored the experts’ warnings. “When you report to an organisation’s CISO and security directorate that they are hosting significant security vulnerabilities, leaking information and presenting an opportunity for malware to enter and leave their logical premises undetected, as well as being exposed to a high level of insider threat, only to have your report ignored – it does make you realise, Houston we have a problem,” he says.
The UK Cyber Security Strategy launched by Minister for the Cabinet Office Francis Maude in November last year states: “The technical capabilities that enable a wide range of actions to protect the UK need strengthening. But it is clear that our approach to the risks in cyberspace must not rely on technical measures alone. Changes in attitudes and behaviours will also be crucial to operating safely in cyberspace.”
Changing attitudes, raising awareness
Those responsible for driving information security in leading organisations also believe changing attitudes is a key part of their role. They recognise they must better communicate the real risks and available options to boards in order to secure adequate resources for information security. Equally, they understand the importance of raising user awareness and changing behaviours.
Essential guide to security: Rethinking your defence
High-profile hacktivist attacks and data breaches may grab the headlines, but IT leaders should concentrate on rethinking their cybersecurity
Questioned by Computing at the Infosecurity Show, Phil Cracknell, global security and compliance director at Yell, advocated being creative rather than prescriptive when it comes to changing user attitudes. Cracknell said: “It’s about having a workforce and contractors who deliver value to your business but understand why information is important and think more carefully about keeping it secure. Our education programmes and videos, which we distribute virally, aren’t prescriptive. They contain humour and really make people think about the value of the information they are handling. You can’t just say ‘thou shalt not do X’ – it just doesn’t work.”
Peter Gibbons, head of information security at Network Rail, agreed, adding that it was equally important to persuade senior non-technical managers of the need for, and value of, robust information security.
“You need to articulate any risks in their language, based on business-specific objectives. And you need to be able to show evidence of likelihood. If we say something could happen, we need to demonstrate why we think that’s so. That means being fairly specific about where a threat is coming from. It is no use talking about some vague amorphous blob on the internet that may or may not come to get them.”
In terms of technical protection, among many leading organisations there has been a swing away from simply protecting the perimeter of the organisation towards focusing on protection of the most sensitive data.
Balancing flexibility and security
Leading IT strategists now generally recognise that there are compelling potential benefits to be had from allowing users to work on their own preferred devices, applications and online services wherever possible. These include improving agility, workflow, collaboration, productivity and the organisation’s ability to attract the best talent. Ring-fencing certain data and limiting its use across particular networks, in particular locations, or on devices that aren’t securely configured, is one way to do this – but less restrictive solutions need to be developed. Likewise, cost and agility factors now outweigh security fears for many businesses when it comes to the use of public cloud services – but again it’s important to draw the lines about what data or applications you’re prepared to let outside of your organisation – and how rigorously you need to protect it.
There’s no “one size fits all” answer, of course – it all depends on the enterprise’s sector and priorities. Lockdown is still the favoured approach in industries where security concerns are paramount, such as financial services. The key to building a successful security strategy for the future is to keep analysing the changing risk profile against an organisation’s priorities to ensure security controls are appropriate and proportionate. Security should strive to be an enabler of effective business, not just a black hole of spending or a compliance burden.
But however you cut it, the days of smoke and mirrors, at least, are surely numbered – and for that we may end up thanking the hacktivists.