There is no one size fits all, says Jason Mical, VP of Cyber Security, AccessData. He also describes some of the most active threats in Asia Pacific.
How would you characterise the cyber security scenario today? What shortcomings do you see in terms of preparedness?
The biggest problem today is a lack of education on how attacks operate which is necessary to understand the appropriate defensive posturing. Without that understanding, there's no context and without context there's no strategy. Even today, there's an undeserved obsession with the initial infiltration vector.
Company XYZ didn't get hacked because an HR person was spear phished. They were breached because they failed to detect the attack in progress as the attacker elevated privileges (Think PW dump and pass the hash), moved laterally through the company intranet from system to system, stole all credentials in the Active Directory database, copied sensitive data off the network, etc. Even if the company was immune to spear phishing, the attacker would have figured that out and moved on to other infiltration vectors.
Additionally, while attackers use hacking tools and backdoors for portions of the attack lifecycle, those tools are very different from viruses, botnets, and mass malware. Lumping all software used for bad under the one name of "malware" is misleading. Again, context is key. Those responsible for security need to understand that if they identify a hacking tool, backdoor, or RAT that isn't prolific in nature, they need to have a response that's very different than disinfecting a system that has a virus.
Chances are, there's a hacker behind the wheel performing lots of manual actions that need to be discovered through an investigation. Much of their activity would look like a system administrator went rogue. This is a concept that most organisations still do not grasp.
Is there a best way to approach cyber security? What could be it?
There is no one size fits all approach. Generally speaking though, organisations need to know what their assets are and make sure those assets are identified as much as possible. Apply the concept of least privileged access and role based access control to ensure access is limited to those that need it and only what they need.
Next, research the known threat actors out there and figure out which ones apply. Learn as much as possible about how they operate and prioritise both preventative measures as well as detection systems to see what gets through. Have well rehearsed response plans in place for likely scenarios. The goal is to make it a pain for the attacker to make progress from victim zero (initial infiltration) to the goal line, and then have eyeballs scanning hosts, network data, and log files to see them running around the field.
Have game plans in place to chase them down and kick them off the field. The most important thing is that you need to have people that can do these things. There are newer training courses geared for this from places like SANS.
What are some of the most active threats in the Asia Pacific region?
Although most threats span globally, I am aware that there's a tremendous amount of energy being spent to hack and commit fraud in online games. Much of this activity is coming from hackers in China. The attackers have even been bold enough to go after the gaming companies with the level of sophistication usually only seen with APT intrusions and targeted, large financial crimes. Speaking of APT, the Chinese state sponsored APT groups are hacking into other AP countries. Singapore, Japan, Australia to name a few.
In view of the increased waves of state-sponsored attacks as well as hacktivism, should security vendors work with government agencies to tackle local and global attackers? Are they the new arms dealers?
This is already happening. It's all via unofficial communications. Because the agencies tend to classify everything as classified by default, it makes information sharing very difficult. Additionally, government entities, intelligence agencies, and law enforcement agencies will look to the private sector for expertise and support when dealing with these adversaries. Sometimes, they'll contract out work, but that's very sensitive and not discussed in public.
How would BYOD impact businesses in the Asia Pacific region? What are BYOD's implications in terms of risk management, data protection, and data management?
As far as I'm aware, there's nothing unique to the AP region on this topic. I could be wrong though. I'd say there are two very large risks to BYOD in general. The first is that an employee could accidentally lose or leak sensitive information. The second is that organisations have little to no control or visibility into employee owned devices. The lockdown mechanisms that can be enforced are pretty generic and not very relevant to modern day hacking.
I have observed APT attackers get kicked out of a corporate network after months of investigation and planning for remediation only to get re-compromised because the attacker had backdoors planted on employee owned assets.
How can local businesses change their strategy to cope with the new threats?
My advice has always been the same for SMB. Computer systems used for business operations should be separate from systems used for email, web browsing, etc. They should be segmented into two networks that either have no connectivity between them or only the bare essentials needed to conduct business.
Have the business owner talk to someone who's gone through a card data breach. Then ask them if letting employees browse Facebook from the same system they use to run their business or accept credit card payments is worth the risk. Most business owners wouldn't want to risk losing their whole business because someone clicked on a bad link.