In a world of cyber-security turbulence, education tied to action is vital

By Rick McElroy, Security Strategist, Carbon Black

A rash of turbulence shaking the IT industry has its epicentre in security, where we are continuing to hit bumps along the way. This won’t change any time soon and the bumps seem to be occurring faster and faster.

Cyber security was noted during the U.S .presidential debates, and currently there are a number of proposed pieces of legislation at all levels to help address this “problem.”

As a community, we haven’t yet ‘fixed’ the security challenge, so others are trying to mandate how to fix the problems. Politicians, judges and leaders can affect security both positively and negatively. They can add complexity or reduce it. They can create policy or overrule it. They can choose to listen and become educated, or not.

They seem willing, so maybe we should all be less cynical and do the hard work to educate them. They seem aware…let’s go beyond that. They need long term strategic help. They need help to understand the right data to make the right decisions. We can all assist with this role.

We all know that IT security teams are struggling to maintain a secure and compliant environment because the budgets and projects for both often compete with each other. I have seen a number of shops that are both PCI and SOX compliant, but a red team took less than an hour to achieve domain administrator on their systems.

Apart from very large companies, most organisations simply cannot afford to maintain compliance as well as an effective security program. Businesses have downturns. Budgets are cut. Funding goes away. To stay in business, a leader may have to choose to short change security for the sake of maintaining compliance.

Compliance teams and InfoSec teams need to ensure they are partnered and working towards common goals. They need to work with the regulating bodies to ensure the controls achieve those goals, whether their goals are privacy, security or risk-related. They need to look at sharing technology decisions. If a tool can meet both needs then that’s fine. Between the two, they should make wise technology investment decisions. After all, tons of compliant businesses have been breached.

We see this in action globally. The EU court of Justice kicked out safe harbour. Governments are calling for back doors to encryption. The U.S. Cyber Security Disclosure act was introduced in December 2015; the State and Local Cyber Protection Act in March 2016; the Small Business Cyber Security Improvement Act of 2016 in June.

These seem reactionary and rushed, focusing on the past rather than the future as cyber security should be. This trend of legislating security will continue to increase complexity. Think about the pure human hours spent on compliance attestation. Imagine if all that time and effort were focused on becoming secure. Teams that should be actively defending networks and systems are often relegated to taking screenshots and filling out forms.

Although we have come a long way as an industry, we continue to repeat past mistakes. IoT is here and Gartner estimates that four billion connected things will be in use in the consumer sector in 2016. 25,000-plus CCTV cameras were used recently to deliver the largest DDoS attack on record. Everything is being plugged in the reality is that cyber criminals can achieve crushing scales.

Ransomware has become big business and IoT will continue to accelerate this trend. Holding ‘all the things’ for ransom seems to be a compelling profit model.

The source code to pull off massive DDoS attacks has been released. Imagine a world where Internet pipes are clogged with hacked IoT devices while using them to distract teams away from actual breaches.

Hackers and ‘leakers’ are replacing legitimate journalists as a source of reliable information. This behaviour is being ignored, encouraged and supported to varying degrees by leaders across the world. We cannot be pro-security and then encourage illegal system break-ins.

In my view, we have massively elevated awareness of the issues. While news coverage is at an all-time high, we need to move into true education. We need to use all opportunities to educate. Awareness helps but without educating our business and political leaders on effective strategies we must expect people to operate under fear and act reactively rather than proactively.

Remember, the current issues are all part of growing pains. Now is the time to refocus our time on education rather than awareness. Now is the time to do more than stand on a soapbox and make fun of people who aren’t knowledgeable. Now is the time to do what we have been trained to do. Let’s stop assuming that users are too dumb. Let’s stop acting holier-than-though when another team has a breach, and let us all spend more time trying to truly educate those around us.

Tags infosecPCI compliantUS Cyber Consequences UnitEU Networks

Show Comments