In our age of relentless and deadly effective cyberattacks, virtually every sizable enterprise and government entity knows the critical importance of taking pains to protect their data. As year after year of increasing cybersecurity budgets underscore, they spend big and hire plenty of cyber experts to help guide that spending.
But are they doing a good job overall? Not really, partly because of the widespread circulation of cybersecurity myths and partly because of the enormous volume and ever-changing nature of cyber attacks, making it impossible to win all the battles all the time.
One myth is that more cybersecurity is better cybersecurity. The reality is that traditional cybersecurity, such as firewalls and antivirus software, has become largely ineffective. It costs money and takes time to continuously update and is usually porous when malware is new. And if security teams don’t have sufficient expertise with new, more effective security tools, they typically misinterpret alerts, creating too many false positives. Traditional cybersecurity doesn’t prevent these.
Another myth is that better technology provides better security. True, but only up to a point. Cyberattacks are masterminded by people, and smart ones know their way around static technology. Other myths are that passwords are often good enough, even though they no longer are, and that threats are only external. Fact is, employees are the pathway to the most sensitive information.
These and other misconceptions must be erased. Consider, for example, that 80 percent of observed malware appears only once, according to cybersecurity company FireEye. Widespread signature-based defenses cannot protect against these. To curb attacks, the analysis of sophisticated, in-depth context is crucial.
So what is the answer?
For starters, enterprises must better appreciate that complexity is the enemy of security. By and large, today they purchase virtually every product they feel holds some promise to make their companies more secure. But this enhances complexity and related overhead, and gaps between products become vulnerabilities. Enterprises must aggressively embrace integrated platforms to reduce the weaknesses of operational complexity.
In addition, enterprises must at least begin studying and testing new and far more advanced cybersecurity technologies. These include applied cryptography, especially in the cloud, which is the technique of enciphering and deciphering messages to maintain the privacy of computer data. Related to this is homomorphic encryption (HE), which protects data in use and was discussed in my last column. Although it remains a work in progress on some fronts, HE is nonetheless the most effective technology available today to secure data on the move.
The fundamental concept behind HE is hardly pie in the sky: “Data at rest” is commonly encrypted, as increasingly is “data in motion,” and so why shouldn’t it eventually become a standard?
Also warranting a deep dive is a serious look into data provenance (DP), based on the fact that digital information is atomized into 1s and 0s with no intrinsic truth and which is highly useful in exposing well-crafted and disguised lies distributed across the internet. In DP, the most immediate concerns are images or statements that purport to be something other than what they are. Without the introduction of some new DP techniques, it will become impossible to discern a real image from a fake.
Most important of all is the nearer-term need to better manage the explosion of security alerts and false positives almost everywhere. Also crucial is the development of better defenses against spear phishing, which is as effective as ever because it targets target individual and unsuspecting employees, as well as improvements in third-party risk management. This remains relatively sketchy nearly five-and-a-half years after the infamous Target breach by an air conditioning subcontractor.
Here a few highlights about each of these points:
-DP is a critical defense against the weaponization of data, and the stakes for success are sky-high. Eventually, high-level hackers at the nation-state level are likely to corrupt news and financial data, manipulate airline and transit systems controls, and undermine critical infrastructure.
-On average, organizations receive thousands of security alerts weekly. They typically investigate less than 5 percent of them, dismissing most as relatively low-threat viruses, worms and spyware, according to FireEye. It sounds good, but organizations on average still spend about $1.3 million annually on false positives or false negatives, according to Ponemon Institute.
Part of the solution is the formal development of threat priorities, automated in a central repository. Needed too, is contextual intelligence that provides details on the attacker as well as on the scale and scope of the attack. In addition, silos between technologies and teams must be eliminated because they result in duplication of efforts and little or no knowledge sharing.
-Spear-phishing attacks are masked emails that contain a link or attachment and are designed to pilfer your personally identifiable information (PII). To be convincing, attackers do their research, usually through social engineering. Spear-phishing works because emails are believable – research shows people open 70 percent of them, and half of those click on the link. To cope, companies must do a much better job training users to recognize, avoid and report suspicious emails.
-Third-party risk management is increasingly critical to protecting companies’ sensitive data. Companies are beginning to wake up to the need to know how secure their third-party relationships are. Yet management remains sub-par, obviously magnifying risk.
As Target demonstrated, cyber attackers are masters at understanding the “community of relationships” around a target company and identifying the weak link, fundamentally making defense only as strong as the interconnected weak link.
In 2017, the NotPetya attack vividly served as a warning regarding what can happen if a supplier is attacked. Legitimate software used through Ukraine became infected with a destructive ransomware worm. But the attacks weren’t limited to the borders of Ukraine. Relationships and supply chain links quickly spread around the world, generating billions of dollars in damage.
Current approaches to the problem, such as audits and penetration tests, are helpful but typically provide a moment-in-time snapshot of security risk. What organizations need, among other things, are automated tools that continuously measure and monitor the security performance of third parties. Speedy assessment of the security status of third parties is critical to prevent breaches. So a system of formal security ratings is essential.
Posted from the RSAC Blog