Best cyber defense: tech savvy, informed users
It’s become an article of faith that you can’t accomplish real advances in cybersecurity until you get the executive suite involved, and that applies as much to government as to private industry. Well, you can’t get much higher on the ladder than the rarified atmosphere at Davos in Switzerland, where the elite’s elite gather yearly to discuss issues affecting the world’s economic health.
Cybersecurity was a main topic this year. It’s been on the agenda before, or at least has been talked about in the hallways, but after last year’s horrendous breaches and Black Hat successes, the consensus was that cyber requires an urgent focus.
Among the most critical topics, security experts at Davos warned about the increasing dangers from The Internet of Things – dubbed the Internet of Threats by Kaspersky Labs’ Eugene Kaspersky – and the fact that cybercrime is becoming much more professionalized, with both criminal and terrorist activists now in the game.
As much as technology offers promise for economic growth, they seemed to say, it also dramatically increases the ways attackers can threaten the viability of public and commercial enterprises.
The same message can be taken from a number of wide-ranging studies recently published. Cisco’s 2015 Annual Security Report warned that attackers are, indeed, getting better at what they do and that users are becoming unwitting enablers.
For example, said Jason Brvenik, principal engineer with Cisco’s Security Business Group, online spam had been decreasing recently but showed a 250 percent increase in 2014 compared to the previous year. Attackers are now also using it for phishing to directly target users.
“With the emphasis by organizations now on protecting data and IT assets, attackers are increasingly challenged in attacking those kinds of targets,” he said. “So, they are paying more attention to users who may have the (network) credentials that will let them get inside the enterprise.”
Despite the warnings, organizations are still not up to speed with what’s needed for this emerging ecosystem of cyber threats. Only 38 percent of those surveyed by Cisco admitted to using patching and system configuration updates to boost their defensive capabilities, which Brvenik said is considered an effective security practice. And more than half of all versions of Open SSL – whose vulnerabilities led to the catastrophic Heartbleed bug – were found to be older than 50 months, and therefore still wide open to attack.
Here’s another frightening statistic: As organizations actually start moving their data to the cloud, they may be opening up other avenues for attackers to exploit, according to the Cloud Security Alliance. In its 2014 Cloud Adoption, Practices and Priorities Survey Report (CAPP), it found that three quarters of respondents were aware of the need for security, but nearly as many admitted that they didn’t know the number of ‘shadow IT’ apps within their organization.
Shadow IT is a very modern dilemma. It refers to the users within organizations who tend to use whatever technology they can find to make themselves more productive. So they reach for software that is easily downloadable and configurable – without informing the IT department. What’s more, each line of business uses what apps it deems appropriate, without coordinating with other groups in the same organization.
That leads to situations such as one described by Kamal Shah, vice president of CSA member Skyhigh Networks. One of its customers ended up with 27 different file sharing services being used among its 80,000 plus employees, many of which didn’t meet the company’s security and use policies.
“We’re seeing more and more CSOs and CIOs having cloud security discussions (with senior executives) in both the government and private sectors,” Shah said. “However, while there’s been a lot of talk recently about the increase in sophistication of threats, and cloud security is starting to get to where it needs to be, we’re only in the early innings of this.”
One of the problems could be that, according to a survey by EMC Corp., data protection still warrants only a standalone focus as a way of making sure data is always available, and not a practice that’s seen as a part of overall cybersecurity measures.
“But we definitely think it should be, since we are talking about (overall) protection of data, and cybersecurity is a part of that,” said Gregg Mahdessian, EMC’s director of federal sales, Data Protection Solutions.
What’s the takeaway from all of this? As Davos and the various surveys show, there’s now no shortage of awareness of the magnitude of the problem. Executives at the highest level in both public and private organizations know that attackers are getting better at what they do, and therefore security also needs to get better. The disconnect is in understanding how technologies and tools can best be deployed to make that happen.
“The trend in days past was that the more invisible security was, the more effective it was being,” said Cisco’s Brvenik. “That led, in many cases, to organizations putting security technology in place and then forgetting it was there.”
That needs to change, he said. Now, there needs to be a high visibility into what security tools can provide and why, which will lead to a greater understanding from the executive level down to individual users about those tools and the secure processes they embody.
If the user is the new focus for attackers, an informed user will be the best defense.
Editor's note: This blog was changed Feb. 2 to correct the spelling of Gregg Mahdessian's name.
Posted by Brian Robinson on Jan 30, 2015 at 10:54 AM