data security in a breach-a-minute Eradocs.media.bitpipe.com/io_12x/io_126874/item... · Cyberthreat Defense Report (North America and Europe), the CyberEdge Group shared what I considered

Editor’s notE A CybErsECurity ChECklist for Cios

thE ConstAnt CybErthrEAt of humAn Error

ovErhAuling ‘brittlE’ sECurity

data security in a breach-a-minute EraWhat will it take for companies to get past this data-breach-a-minute era? Get the latest updates on new data security tools and get advice from leading security experts.

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 2

editor’sNote

Cybersecurity: A Perpetual Journey

If there’s a silver lining to the many data breaches that have plagued—and continue to plague—companies in recent years, it’s that cyberthreats, previously the stuff of fiction, are now part of the national conversation. You would think this topic would be of keen interest to the companies victimized by these breaches. Wouldn’t they be on guard for even a minor slackening of their security measures? Yet, as SearchCIO expert Harvey Koeppel writes in his column, an unsettling number of IT security leaders have become complacent post-breach.

For example, in one study, Koeppel encoun-tered a worrisome statistic: “Sixty-six percent of executives experience significant attacks on their IT systems on a daily or weekly basis; however, only 9% of executives run ongoing security penetration or continuity of business/disaster recovery tests on their systems.”

One big takeaway from these findings, he

said, is that cybersecurity isn’t a destination; it’s a continuous journey. In this SearchCIO handbook, Koeppel offers a checklist for CIOs and IT executives to guide them in this journey and help them get security under control as cyberthreats keep getting more sophisticated.

Also in this issue, CTO and columnist Niel Nickolaisen talks about how to mitigate the one constant and consistent risk among a sea of evolving threats: human behavior. Plus, writer Mary K. Pratt turns to security experts to get their take on why the current state of enterprise security still looks gloomy and what should be done to turn things around. (Hint: It will require some re-engineering.)

What about you—do you view cybersecurity as a destination or as a never-ending journey?

Please write to me at [email protected]. n

Fran SalesSite Editor

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 3

Cio tips

A Checklist for taming today’s Cyberthreat landscape

One of the few things the “experts” seem to agree upon is that cybercrime is a clear and present danger to our national security. These issues have gone way beyond the province of esoteric IT journals and cultish science fiction novels—they have invaded our daily collective consciousness and well-being as individuals, as families, as companies, as governments, as a society and as a culture at large. Many opine at great length on how the cyber landscape has become the new battleground upon which future wars will be fought: Nations will rise and fall based upon their techno-prowess to aggres-sively attack and defend against the new breed of cybercriminals.

At a summit at Stanford University earlier this year, President Obama said this of the cyber landscape: “The first computer viruses hit personal computers in the early 1980s, and essentially, we’ve been in a cyber arms race ever since. … We design new defenses, and

then hackers and criminals design new ways to penetrate them. Whether it’s phishing or botnets, spyware or malware, and now ransom-ware, these attacks are getting more and more sophisticated every day.”

blind to thE CybErthrEAt lAndsCAPE

“ Success does not consist in never making mistakes, but in never making the same one a second time.” —George Bernard Shaw

So what’s the deal here? If this bad stuff has been going on for more than 30 years, then why can’t we get it under control? In its 2015 Cyberthreat Defense Report (North America and Europe), the CyberEdge Group shared what I considered to be an alarming finding: 71% of respondents said they were affected by a successful cyberattack in 2014, yet only 52% of that 71% expected they would fall victim

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 4

Cio tips

again in 2015.Could this be true? Feeling a bit skepti-

cal about what I was reading, I checked the research methodology—in particular, the demographics of the respondents: 814 IT secu-rity decision makers and practitioners, all from organizations with more than 500 employees. The respondents represented seven countries in North America and Europe and 19 indus-tries. Seems pretty comprehensive.

Another study performed earlier this year, this one by Accenture, titled Business Resilience in the Face of Cyber Risk, reported the follow-ing: 66% of executives experience signifi-cant attacks on their IT systems on a daily or weekly basis; however, only 9% of executives run ongoing security penetration or continu-ity of business/disaster recovery tests on their systems.

OMG.

A PrE-CybEr lAndsCAPE tAlE

Thinking through the rather pessimistic impli-cations of these findings, I was immediately reminded of an earlier series of strikingly

related (albeit much lower-tech) incidents perpetrated upon a friend of mine roughly 40 (“pre-cyber”) years ago. Let’s call him Lenny.

Lenny lived near the northern end of River-side Drive, considered at the time to be one of New York’s “frontier” neighborhoods. Lenny

prudently chose to drive a beat-up old Plym-outh Fury so that he could inexpensively and relatively inconspicuously park his ride on the street to avoid the significant expense of park-ing in a Manhattan garage (the cost of which was then and is now roughly equivalent to a monthly mortgage payment) and at the same time minimize the chances of his chariot being “borrowed” or stolen, as is relatively common-place in frontier neighborhoods.

One day Lenny got into his car, turned the

sixty-six percent of execs experience attacks daily or weekly, but only 9% run on- going security penetration or business continu ity/disaster recovery tests.

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 5

Cio tips

key and—nothing. Not even that horrible clicking noise that a weak or dead battery makes after it has turned the starter motor over for the last time. Upon investigation, Lenny discovered that his battery had been sto-len. Two hours and $50 later, Lenny was back in his car with a new battery installed and off he drove.

Life was good for a couple of days until Lenny returned to his Plymouth for another road trip. He got in, turned the key and, once again, the dreaded sound of silence. For the sake of dis-cretion, I will not repeat Lenny’s words in this post. After calming himself down, Lenny real-ized that his car had become the ideal bad-guy target—one with a brand-new battery, ripe for stealing again. For a brief moment, Lenny actu-ally felt a sense of admiration for the clever manner in which the crooks were augmenting their inventory.

Back to the auto supply store, a couple of hours and $100 later he returned to his car with yet another new battery and, this time, a secu-rity upgrade. Lenny purchased a lock and chain to secure his second new battery. If the bad guys were so smart, he, an Ivy Leaguer with a

Ph.D., could surely be smarter. Lenny installed the battery, the chain and the lock. Life was good again and Lenny enjoyed his trip to the country.

The following week Lenny returned to where he had parked his car and discovered that, despite his increased security measures, the bad guys found a workaround—they stole the entire car. Lenny quickly became a fan of public transportation.

thrEE hArd truths About

thE CybErthrEAt lAndsCAPE

Within the context of today’s cyber landscape, there are (at least) three important lessons we can take away from Lenny’s experience:

1. When you think you are safe, it is natural to become complacent, leaving you the most vulnerable.

2. When you think you have mitigated your risk with enhanced technology, someone will come along with better technology that will significantly increase your risk.

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 6

Cio tips

3. Cybersecurity is a continuous journey, not an absolute destination.

thE Cio CybErsECurity ChECklist

Given the state of the cyber situation described above (the tip of the iceberg), here are some critical ways and means for CIOs and IT execu-tives to manage their cyberthreat landscape:

n Ensure everyone in your organization under-stands that cybersecurity is not just an IT problem; it is everyone’s problem. All the advanced technologies, firewalls, passwords, tokens, SDNs and so on will provide no value if someone inadvertently responds to a phish-ing, smishing, spoofing or similar low-tech/no-tech attack. Communicate, train, monitor, improve and communicate.

n Hire, train and retain the best possible cyber talent you can afford. Cyber experts are in high demand, competition is great and compen-sation is greater. Do not be penny-wise and pound-foolish.

n Executives have become an extremely popular target group for low-tech or social engineer-ing cyberattacks. They tend to be the least tech-savvy and have access to the most valu-able enterprise assets. Successful attacks and breaches on this group tend to be the most visible (and embarrassing), both internally and externally. Communicate, train, monitor, improve and communicate.

n Most enterprises commonly accept the fact that becoming the target of a cyberattack is a “when” and not an “if.” There is no such thing as too much communication, preparation and testing. Communicate, train, monitor, improve and communicate.

n Ensure that you and your team are fully versed in the latest set of external regula-tions and internal cyber-risk management policies and procedures. Compliance viola-tions are not only embarrassing; fines and penalties are typically significant unbudgeted items. Communicate, train, monitor, improve and communicate.

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 7

Cio tips

n Make sure your incident response pro-cess includes well-documented and tested escalation procedures to ensure all the right internal and external stakeholders are notified in a timely manner. Communicate, train, monitor, improve and communicate.

n Most security experts agree that there is no perfect defense to completely prevent cyber-intrusions, and the best defense includes early detection of intruders and timely mitigation of the negative impact of malware after it has entered your environment. Acquire and install the best tools that your budget will allow.

n Spending on cybersecurity should be man-aged by business case, similar to other IT investments. All enterprise assets are not cre-ated equal, and some must be more fully pro-tected than others. Identify, locate and classify assets based upon the business impact if asset

classes are corrupted, lost or stolen, and budget for their individual protection accordingly.

n Allocate IT spending to next-generation fire-walls, cyberthreat intelligence and analytics, which are among the most popular areas of network security investment.

n Ensure any existing or newly acquired network inspection tools you are running or implementing have the ability to inspect SSL-encrypted traffic as more and more websites are moving from HTTP to HTTPS protocols.

n Containerization/microvirtualization technologies are considered “best practice” solutions for endpoint security.

When you think you have finished with everything you need to do, go back to No. 1 and start again. —Harvey Koeppel

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 8

iNfoseC risks

human Error: A Constant threat to information security

A few months ago I attended an IT leader-ship conference. One of the conference top-ics was information security processes and technology. After several speaker sessions, the conference organizer arranged the participants into a few groups for a facilitated discussion on threats to information security.

In our group, the facilitator started off by asking us what we thought was the best news an IT leader could hear about information security. Others in my group gave answers to the effect that the best news would be if we had just passed our audits or gone some time without an incident or something similar. I timidly raised my hand and said that the best news I could ever receive about information security was that someone else got breached. Why is this good news? First of all, it was not me. Second, as long as it was someone else, the likelihood of my getting funding for invest-ments in information security was greater after

a well-publicized data breach.When it comes to information security,

the threats, responses and technologies keep changing, and I expect they always will.

Through all this churn in the threats to information security and the processes and tools to combat them, there is one area that remains a constant and a consistent risk—human behavior. I have not yet figured out a way to ensure that humans act in the right way, but there are some things we can do that help reduce our exposure.

thrEE sECurity ProCEssEs

to mitigAtE humAn Error

Here is my list of actions that make the biggest difference:

1. Classify and restrict access to data. Some types of data are more sensitive than

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 9

iNfoseC risks

others. It can be overwhelming to think of ways to protect all of our enterprise data. But, if our sensitive data is a subset or sliver of that data, things get simpler. I like to define some criteria we can use to segregate our data into different classifications. Clearly financial data is sensi-tive. So is the personally identifiable informa-tion of our clients. But, a whole bunch of data might not be worth fully protecting.

Once we have classified our data, we should determine who really needs to access the sen-sitive data—and the fewer the people who can access that data, the better. There really does need to be “need to know” criteria baked into your information security processes. Now, restricting access to data can be a pain because we need to define data roles and permissions. We then need to regularly update the data clas-sifications, the data roles and permissions and who should have those roles and permissions. All of this pain is well worth the effort.

2. In addition to restricting access to sensitive data, we should implement a process and tools for logging access to data. This likely implies that we have to rid ourselves of generic user

accounts—particularly admin accounts. As part of our regular access reviews, we should re-evaluate who is accessing what data and make sure that such access is proper. We can

review the access logs to refine our access rules. For some systems, there is no way around generic admin accounts—thus defeating the goal of knowing who accessed what data. For this, look at key management systems in which an admin checks out a key to use the generic admin account. In general, we want to know who is accessing our sensitive data.

3. Review the ways that we internally pass around sensitive client or financial data. Too often, we do this in an ad hoc, less thought-ful way. Someone asks a question about a cli-ent account and, in response, we send an email

Clearly financial data is sensi tive. so is the personally identifiable informa tion of our clients. but, a whole bunch of data might not be worth fully protecting.

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 10

iNfoseC risks

that provides account details that should never be sent via email. I have found it helpful to spend some time with the client services and accounts receivable teams to simply observe how they exchange information with each other and with other departments. Then, if this is an issue, implement a more secure approach for this information exchange.

In my perfect world, those inventing and

improving the security tools figure it all out and come up with something comprehensive that battles all the known and future threats to information security. But, as long as people are still falling for the Nigerian prince email scam, it seems a portion of my security profile should assume that I need information security processes in place to compensate for human behavior. —Niel Nickolaisen

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 11

expert AdviCe

‘brittle’ security systems need major overhaul

Think of today’s enterprise cybersecu-rity defenses as a bank vault with 3-inch-thick steel doors and plywood walls—heavily forti-fied and terribly vulnerable at the same time.

That’s how Stuart Madnick, director of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity at the MIT Sloan School of Management, describes the state of enterprise security. “The biggest problems aren’t being addressed,” he said.

He’s not alone among cybersecurity experts in taking a dim view of the current state of enterprise security.

“The offense is gaining ground and the defense is definitely losing ground just about everywhere. Things that we thought would have to be secure, that we believed were secure—that was just optimism and not real-ity,” said George Wrenn, cybersecurity officer and vice president of cybersecurity at Schnei-der Electric.

Madnick, Wrenn, and other cybersecurity professionals and researchers said there’s a litany of problems with the approach that most organizations take when it comes to protect-ing their IT systems and the data they hold. As recent headline-making data breaches have revealed, problems range from insufficient governance to inadequate controls that create environments ripe for exploitation.

“What we learn after all these breaches is just how bad these environments were. A lot of the breaches are a product of a culture that oftentimes favors ‘get it out there’ or some other priority that is not directly related to safety or security,” Wrenn said.

mismAtCh bEtWEEn risk And sPEnding

Research reinforces these views.The 2015 Black Hat Attendee Survey, which

polled 460 top-level cybersecurity experts,

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 12

expert AdviCe

exposed significant disparities between what these security professionals view as the biggest threats and how their time and enterprise’s security dollars are actually spent.

Some 57% of those polled said sophisticated, targeted attacks are their greatest concerns, followed by social engineering (46%) and acci-dental leaks by users failing to follow security policies (21%). But they listed their most time-consuming tasks as addressing vulnerabilities introduced by internally developed software (35%) and addressing vulnerabilities intro-duced by off-the-shelf software (33%).

Although cybersecurity experts said poli-cies, procedures, good governance and training remain essential tools, particularly to guard against employees falling victim to socially engineered attacks (e.g., phishing) or inad-vertently exposing sensitive data, they also pointed to new technologies and best practices that can enhance an organization’s security profile.

“There are stories every day across the globe today that show that advanced secu-rity programs—intelligence sharing and advanced technologies and tools, and the use

of additional levels of controls in your envi-ronment—can reduce the chances of a breach,” said Roland Cloutier, chief security officer for ADP.

dAtA Coding, miCrovirtuAliZAtion,

biomEtriCs

The best approach to cybersecurity continues to focus on two points, according to Cloutier and other cybersecurity experts: the continu-ous implementation and upgrading of sophis-ticated security controls as well as the ongoing education of users and company leadership about risks.

“It’s a sustained, constant improvement to your security posture, along with education for the people using the technology that will keep you ahead of that threat,” he said.

Advanced security practices include develop-ing policies that limit the amount of data orga-nizations keep, thereby lowering their potential exposure in case of a breach, said cybersecurity experts.

Similarly, leading organizations are imple-menting systems that keep data coded

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 13

expert AdviCe

throughout the stack. To do this, Madnick said companies are encrypting data not just when transmitting it, but even when it’s stored, with decrypting happening only when an authorized user needs it.

New technologies, such as the increasing use of biometrics to authenticate users and grant access to authorized users only, are also helping prevent employees from inadvertently exposing the business to risk.

Another advanced technology helping com-panies improve their security posture is micro-virtualization, which takes applications and subprocesses from hardware and runs them in an isolated environment.

“So all the interaction from the outside world with your machine happens in that mini-machine. And when you’re done with that ses-sion, it goes away. It creates that segmentation,

so as soon as you close your browser, it’s like it never happened,” Cloutier said, adding that he and his team are “migrating over to that as fast as we can.”

Then there’s intelligence-led security, which analyzes data to gain insight into a company’s IT systems and sends alerts or halts processes when something abnormal is flagged.

“This gives us the ability to pull that needle out of the haystack. We have analytics capabil-ity that we never had before, so we can collect lots of information and run purpose-built ana-lytics to see if there’s something going wrong in the environment,” Cloutier said.

rE-EnginEEring it systEms

These newer tactics, however, come with their own challenges, cybersecurity experts warned.

Take data, to start. Many organizations don’t have strong policies and procedures on what data to keep and what to eliminate, Madnick said. Moreover, even organizations that have addressed the data question generally keep more than they should, thinking that all data could have value.

new technologies are help- ing prevent employees from inadvertently exposing the business to risk.

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 14

expert AdviCe

Meanwhile, organizations that want to encrypt data throughout the stack find they have a significant project that generally includes re-engineering their IT systems and business processes—a project that, without any top- or bottom-line impacts, becomes hard to sell to executives, Madnick said.

Re-engineering, though, is really what’s needed, according to Constellation Research Inc. analyst Steve Wilson.

“Of course training and governance and security policies are essential, but I fear that security has become excessively reliant on pro-cess,” Wilson said, adding that audit remains security’s dominant weapon against attack. “The underlying problem is our IT systems are so brittle that they break, just weeks (or sooner) after an audit is passed.

“We must instead make our systems less brittle, more resilient, more stable, more reli-able,” he said.

Wilson, who researches digital identity and privacy, listed his recommendations:

■n Reformed software development practices, more attention to detail and less rush to get apps out the door;

■n Rigorous software standards, banning the GoTo statement and teaching people struc-tured programming;

■n Widespread code inspection and independent testing;

■n New test tools, as well as more research and development on static analysis and dynamic analysis;

■n Simpler operating systems; and

■n In a recommendation that will likely surprise many: a lot less connectivity. “Revisit why things need to be so joined up; reduce our addiction to being on online all the time; take old assets offline,” he said.

—Mary K. Pratt

Home

editor’s Note

A CyberseCurity

CHeCklist for Cios

tHe CoNstANt

CybertHreAt of

HumAN error

overHAuliNG

‘brittle’ seCurity

Data Security in a Breach-a-Minute era 15

About tHe

AutHors

hArvEy koEPPEl is president of Pictographics Inc. and a former CIO. Write to him at [email protected].

niEl niCkolAisEn is chief technology officer at O.C. Tanner Co. in Salt Lake City. Write to him at [email protected].

mAry k. PrAtt is a freelance writer based in Massa- chusetts. Write to her at [email protected].

Data Security in a Breach-a-Minute Era is a SearchCIO.com e-publication.

Sue Troy | Editorial DirectorLinda Tucci | Executive EditorBen Cole | Senior Site Editor

Fran Sales | Site EditorBrian Holak | Assistant Editor

Nicole Laskowski | Senior News WriterJason Sparapani | Features Writer

Harvey Koeppel, Niel Nickolaisen, Mary K. Pratt | Contributors

Linda Koury | Director of Online Design Neva Maniscalco | Graphic Designer

Marty Moore | Production Editor

FOR SALES INQUIRIES Amalie Keerl | Director of Product Management

[email protected]

TechTarget 275 Grove Street, Newton, MA 02466

www.techtarget.com© 2015 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

Cover: fotoliA