ATLANTA – The challenges associated with mitigating cyber threats is one of biggest issues facing security professionals today and it impacts every nook and cranny of the industry. No longer can physical security practitioners, systems integrators and manufacturers sit on the sidelines and act as if the burdens that were the traditional purview of network and IT security are not equally shared. The reality of technology convergence means that cybersecurity is everyone’s problem – from the board and C-suite down to each rank-and-file employee.
Of course, there’s no magic bullet that can address the myriad cyber threats that both public and private sector organizations face today. It requires a multi-faceted and multi-layered approach that includes not only technology solutions, but training of people and the implementation of policies and procedures to develop a truly comprehensive mitigation strategy.
To accomplish this, however; organizations need to change their overall mindset about cybersecurity and foster an environment in which a spirit of teamwork thrives. This was one of the key takeaways from this week’s Converged Security Summit in Atlanta. Now in its second year, the summit, which was hosted by systems integrator GC&E Systems Group, featured a lineup of keynote speakers who spoke to some of the current trends in cybersecurity and how businesses must adapt to the changing threat landscape moving forward.
Stop Sacrificing Security and Privacy for Convenience
According to Darnell Washington, President and CEO of SecureXperts, Inc., security professionals today shouldn’t be surprised about how technology has evolved nor the potential risks that it could pose as these were issues thought about by people decades ago. In fact, many of the technologies that were depicted in movies and television shows from the 1950s and beyond are a reality today, such as robotics, cellphones, drones, etc.
“We saw that these things that could be used to help us could also be used by our adversaries to affect us and impact our critical infrastructure in the things that we do every day. We saw it coming,” Washington says. “When we start to look at the world of cybersecurity today, we have to think that there is not a major difference between what these guys saw back in the day to what we have now.”
In the early days of the Internet, people also saw the need to develop effective countermeasures, however; speed to market and profitability considerations trumped security and has thus left us in the situation that we finds ourselves today. “It has come home to roost,” Washington says of the problems that were foreseen early on in the cyber realm, “and I think everyone would not disagree with me to say that cybersecurity is at the top of mind in every industry but also that we have to do a better job.”
Perhaps one of the biggest problems is many businesses fail to employ even basic, good cyber hygiene policies over concerns that they may be overly burdensome to someone, such as requiring passwords to be changed after an employee is terminated or leaves an organization. Washington compared the lack of such a policy to handing your car keys over to a stranger while walking into a gas station. Unfortunately, many businesses still consider this to be an acceptable risk.
“How many people use the same passwords to log-in to Facebook and AOL as they do their company computer? How many that might manage employees or organizations have employees that do? Guess what? They not only represent vulnerabilities, but with mobile devices, people are willing to… share (through apps) their location, email and contacts,” Washington says. “We are sacrificing privacy and security for convenience. They saw it coming and we saw it coming too.”
Perhaps most frightening, according to Washington, is the point that cybercrime is now reaching where plots designed to steal or extort money could now impact life safety, such as someone threatening to tamper with connected medical devices unless a ransom is paid. Washington also pointed to the recent incident involving the Washington, D.C. camera network in which cyber criminals infected the city’s video recorders with malware during the most recent presidential inauguration, as another example where cyber-attacks can impact life safety.
“If the failure of a physical security device ends up in someone’s life being taken or (causing) extreme risk, that draws special attention to the requirement of why we have to do better,” he says. “If we have non nation-state actors that are able to penetrate very vulnerable systems that could be used to the point they could impact the life safety of the president of the United States, what other things can they do? What other areas of exposure do we have?”
Think of Malicious Actors as “Attackers” not “Hackers”
John Gomez, CEO of cybersecurity firm Sensato, says that one of biggest misnomers in the industry is that people still think of malicious online actors as “hackers” rather than “attackers.” According to Gomez, the popular notion that hackers trying to break into government and private sector networks are bored college students or, as President Donald Trump once famously characterized them as, “somebody sitting on their bed that weighs 400 pounds,” couldn’t be further from the truth.
“The word hacker, in and of itself, is dated. If you think you’re being hacked or you’re defending against hackers, you really need to revisit your security strategy,” Gomez explains. “There’s nobody hacking you and if they are, the things you have in place will probably protect you. But the people that are committed, especially for the people in this room who you’re representing – government, educational institutions, and law enforcement – you’re not hacked, you’re attacked. That shift in mindset by you is critical to your success.”
According to Gomez, the types of attackers that organizations should concern themselves with include: cyber criminals, cyber spies and cyber terrorists. Cyber criminals, who are driven by financial motives, typically consist of organized crime syndicates that recruit and employ people to steal data from individuals and corporations for monetary gain. Cyber spies are usually nation-state actors concerned with carrying out a certain mission within cyberspace whereas cyber terrorist are driven to cause disruption based on ideology.
“You can’t develop an effective defense against someone you don’t know. You need to understand who is coming at you,” Gomez says. “This is why I get so ramped up about people calling attackers hackers. Hackers don’t have a methodology, they’re not doing intelligence gathering. As an attacker, the first thing I’m doing is intelligence gathering. If you just gave me the name of your organization, no IP addresses or anything else, I’m going to go on your website and look at your job postings. If you're hiring a Cisco engineer then I know, ‘Oh, you’ve got Cisco equipment.’ Because we don’t have that mindset, we don’t think about how sophisticated they are.”
In addition, Gomez said that unlike the old days where someone would work a day job and save all of their online criminal activity for the nighttime hours, attackers now have full-time criminal jobs complete with a salary and benefits.
“We’re now seeing people come out of colleges in eastern Ukraine and Russia and there are recruiters on campus trying to recruit people for criminal organizations. Today, if you join a cyber-criminal organization, you’re going to get a full salary that is competitive with any other software company, full benefits and life insurance,” he says. “One of the things that we've learned in the last eight to 12 months is that they are also running contests. Let’s say I wanted to go against (a police department) and hack into them. You could go to these groups and say, ‘the first person to break in, we’ll give them a Ferrari.’”
Cybersecurity – A Team Sport
During the event’s final keynote, Kenrick Bagnall, Detective Constable for the Toronto Police Service’s Computer Cyber Crime (C3) Intelligence Services unit, told attendees that they need to think of cybersecurity as a team sport and to work with not only their in-house personnel, but also external resources including law enforcement. “Cyber-crime didn’t evolve in a vacuum and, as a problem, it is not going to be solved in one either,” he says.
One of the first things that Bagnall recommends organizations do is to focus on their incident response plan because as many cybersecurity professionals point out, it’s not really a matter of if a business or institution will be breached, but rather when. The first step in developing that plan should be conducting a risk assessment which identifies the organization’s crown jewels and what needs to be protected.
“You have to figure out what they are and assign some sort of value to them. Everybody is getting cyber insurance these days, do you want the actuaries and the insurance companies to tell you what your stuff is worth?” he asks. “You need to figure that out first before you take that step. Those crown jewels in your organization, if you’re not paying proper attention to them, they’ll be up in flames and depending on how malicious the attack is, perhaps quite literally.”
Those who should have a seat at the table when it comes to developing an incident response plan include the organization’s CEO, mid-level management, legal, network and IT security, human resources, cyber insurance, law enforcement, and perhaps most importantly, according to Bagnall, a breach coach from outside the organization who preferably serves in the legal field. The breach coach is the person who will walk the company through the response plan following a breach and they need to be external so as not to jeopardize attorney-client privilege.
“Here’s the problem: if you take your internal counsel and you make them your breach coach and your company gets hacked – it is not a civil matter and becomes a criminal matter and law enforcement comes in to depose, interview and debrief – you’ve completely lost any privilege within in your organization because that internal counsel will be interviewed as if they are just a staff member,” Bagnall explains.
For a multitude or reasons, law enforcement is often last to be contacted by a company in the event of breach, but Bagnall says that needs to change because of things like the upcoming General Data Privacy Regulation (GDPR) that is set to go into effect in the EU and issues related to cyber insurance.
“Everybody has insurance on their home and vehicle. You can’t drive without it and you can’t have a mortgage without it on your home. If something happens to either one of those things and you go to your insurance company to file a claim, what are they going to ask you for? They are going to ask you for a police report,” Bagnall says. “If you organization has cyber insurance and you want to file a claim because you’ve been breached, data has been exfiltrated and there has been damage to customer records or there has been damage to company reputation. What do you think they are going to ask you for? Have you called law enforcement? Have they done an investigation?”
Not only does law enforcement need to be contacted, but they need to be contacted in a timely manner, not after the fact. “Have you heard the term closing the barn door after the horse has already gotten out? That’s kind of what that is like. Get law enforcement involved and get them involved as early as possible,” Bagnall says.
Despite the vast amount of resources that organizations have at their disposal in the form of both law enforcement and other experts, many are still going it alone.
“Why are you going to try and attempt cybersecurity remediation and solving this cyber-crime problem alone? You can’t, you absolutely can’t,” Bagnall says.
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
