The cyber curse of ‘interesting times’
This year was always shaping up to be a critical one for cybersecurity, with both government and industry finally starting to come to grips with what’s needed to counteract the rising tide of attacks. Potential election meddling aside, there have been more than enough problems unearthed over the past few years to satiate the security mill.
While that mill grinds slowly, some of the things that are already in development have produced promising results. The National Institute of Standards and Technology’s Cybersecurity Framework, for example, was first published in early 2014 and has quickly gained support in both the private and public sectors as a solid approach to managing security risks.
NIST published its first draft update to the framework a few weeks ago, updating and expanding definitions of terms and introducing the concept of identity proofing as a way of measuring the strength and validity of an individual’s online presence.
Measurements “will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” NIST’s Cybersecurity Framework Program Manager Matt Barrett said.
Along with NIST and other government efforts, like the Department of Homeland Security’s research programs, broad-based industry bodies such as the National Cyber Security Alliance are trying to spread the message about what’s needed for good security.
The incoming Trump administration has thrown a fair amount of dust into the air about cybersecurity, however. Former New York Mayor Rudy Giuliani has been pegged as the new president’s cybersecurity adviser, based on his chairing global security practices at the Greenberg Traurig law firm and as the CEO of his own international security consulting firm.
Cybersecurity professionals have had a field day over this appointment, both because of what they see as President-elect Donald Trump’s perceived “suboptimal clarity” on cybersecurity issues and Giuliani’s own apparent failings. His site was reportedly running off a five-year old, vulnerability-ridden version of Joomla that could be easily penetrated. As of Jan. 18, the Giuliani site was offline.
Giuliani has already said that Trump will use his “bully pulpit” as president to educate the public on the dangers of cybersecurity and that Giuliani himself will convene a group of experts and business leaders from across the various industries most concerned about security in order to, if nothing else, “get really close” to solving the problem of cybersecurity.
Obvious things apart -- there is no single cybersecurity problem, it’s a complex mélange, etc. -- if the Trump administration decides to quickly insert policy statements into the current mix of government and industry cooperation, it’s likely to cause more problems than it solves. Though it’s still far from perfect, the partnership has taken years of deliberation and trust building to get to where it is now. Anything that disturbs that runs a huge risk of disruption.
However, along the lines of not wanting to seem wholly negative, CyberEye offers up the following few simple but effective things the Giuliani team might want to contemplate:
Make sure people pick decent, reasonably lengthy, multicharacter passwords to get into their emails and other online sites. That shouldn’t be rocket science, but a recent survey of 10 million hacked accounts by security vendor Keeper showed how laughable the situation is. The most popular password? 123456, favored by 17 percent of the accounts surveyed. The 10th most popular? 987654321.
Make two-factor authentication, at the very least, mandatory in all the places that it can be done. It’s certainly not a perfect solution, but it’s easy and cheap to implement and has been shown to substantially cut the risk of being hacked. (The Department of Health and Human Services, for example, last year created an open source solution that other agencies can adopt.)
Increase online users’ sophistication about social engineering and the dangers of clicking on links or attachments in email. That’s by far the most common way that attackers get into networks and email accounts. And follow up any initial training to make sure those lessons have been learned. As the Clinton campaign found out, it only takes one successful phishing attack to create a whole mess of problems.
Do all of that and, along with using the usual hardware defenses and tools such as firewalls, 80-90 percent of the attempted hacks on organizations could be shut down, which could then let IT managers focus on recovery from the successful ones, which is now the real name of the game. Bad guys will get in if they really want to, so it’s become a matter of limiting the damage and recovering as fast as possible from incursions.
But it’s a new administration and a new Congress, all of whom have their own ideas and intentions when it comes to cybersecurity. If nothing else, it will be interesting times.
Then again, the ancient Chinese had a curse for just that.
Posted by Brian Robinson on Jan 18, 2017 at 11:54 AM