SECURITY PROFESSIONALS FIGHT HACKERS AND COMPLACENCY FROM MANAGEMENT Delegates at this year’s (ISC) Security Congress heard how practitioners are having to fight on two fronts – the second their own, writes Warwick Ashford The (ISC) Security Congress 2013 in Chicago focused on the challenges facing information security practitioners. Apart from the increasingly sophisticated nature of attacks, security professionals often find themselves fighting a culture of disbelief in the businesses they support. Many in senior management still do not believe they will be targeted by cyber attacks, typically arguing they have no data worth stealing. Consequently, the business is unwilling to invest in basic security management and control systems, and assumes the IT department will take care of any security issues that may arise. In a typical, anonymised case study presented by Ernst & Young, responders to an incident at a large research firm were told there was no information security officer and no security operations centre (SOC). There was poor identity and access management, no network segmentation and no network situational awareness in the form of intrusion prevention or detection systems. Business units were encouraged to be self-supporting in IT and IT policies were outdated. Consequently, the organisation was unaware a breach had taken place until it was notified by a third party. Ernst & Young investigators found different variants of custom malware, making them invisible to any signature-based anti-virus or other security systems. They found attackers had gained access to the company’s network by targeting just 19 users connected to the database with a highly customised and plausible phishing email. The email appeared to come from an employee in the company’s database group and directed recipients to a plausible work-related intranet page. However, when recipients clicked on the link, it launched a set of tools for the attackers. LESSONS TO BE LEARNED This case study contains several lessons, delegates heard. 1. It is important for the business to understand the nature of the threat against the business and the impact of a breach on production, finances, intellectual property and reputation; 2.Organisations need to be able to continually monitor their networks and have the ability to detect and mitigate intrusions as quickly as possible; 3. Security policies and procedures must be updated regularly and enforced to help information security keep pace with the constantly evolving threat landscape; 4. Malware is increasingly customised and targeted. This means organisations need to be prepared for unknown attacks. But that does not mean all other attacks go away – basic IT security remains vital; 5. Human beings are often the weakest link. Consequently, an extremely high proportion of attacks involve a social engineering element. Security awareness training is therefore indispensable; 6. Hackers may use customised attacks, but operating methods often remain the same. Firms can continually update their defence strategies through sharing intelligence. ADAPTING SECURITY PRACTICES Many in the security industry believe that, as attackers become organised into structures using teams with separated duties – all dedicated to bypassing defences of specifically targeted organisations – security professionals need to change tactics too. The idea of offensive security – where traditional defenders strike back – is gaining popularity in some quarters. But others caution against going to the extreme. Retaliatory cyber attacks are not a good idea, an international panel told attendees. Although security practitioners’ ability to trace the source of cyber attacks is improving, it is seldom possible to do this with total certainty, particularly in the most sophisticated attacks, delegates heard. But even where attribution is possible, retaliation is still not a good idea, because it typically leads to an escalation of attacks and an increase in complexity, said Scott Borg, chief of the US Cyber Consequences Unit. Tony Vargas, a member of the (ISC)application security advisory board, said offensive security is challenging and mistakes could even cost lives in some situations. SECURITY BY DESIGN Instead, Vargas advocated several security strategies that enable organisations to adopt a proactive approach to security through security awareness and secure product development. “Awareness works, and it is where security should start. If we could fix the problem with technology alone, we would be there by now,” said Vargas, a technical leader and security strategist at Cisco Systems. He believes most people in an organisation want to “do the right thing” so, instead of beating them with a stick, they should be made part of the solution. Vargas said information security professionals need to understand the business and ensure executives and all other users are aware of the general and specific threats to their organisation. “Find out what communication channels they are using, then spread the security message using those channels, whether it is video, Twitter, LinkedIn or instant messaging,” he said. Security practitioners must keep abreast of what is going on in the security industry, he said, and forge partnerships and relationships to help drive the industry forward. An important element of that is creating software, products and services that are secure by design though implementing secure development lifecycle programmes. “Security needs to be part of every development stage, including initial requirements”, he said. “And any insights from testing, deployment and security incidents must be fed in for continual improvement.” Vargas predicts there will be a “huge market for application security professionals” in coming years, as governments and large enterprises increasingly mandate inherently secure products and services. “Considering the present and likely future security skills gap, we need to ensure that the security work is done upfront and not left to the deployment phase; there are not enough people for that,” he said. Source quoted: CWE_ezine (8-14 Oct.2013, pg. 4, computerweekly)
Posted on: Thu, 21 Nov 2013 17:26:17 +0000
Trending Topics
Recently Viewed Topics
© 2015