Industry and government cybersecurity experts offer advice for protecting business assets and reputation in an increasingly dangerous cyber threat landscape.
Don’t expect the cyber threat landscape to get safer anytime soon. That’s the message given by speakers at two recent Boston-based events. “By any measure you want to use, the trend line is going the wrong way,” said Rob Joyce, White House cybersecurity coordinator, speaking at the Cambridge Cyber Summit hosted by CNBC and The Aspen Institute. “Whether you look at breaches, whether you look at criminal activity, whether you look at nation-state activity, or even the sanctity of our elections, we’ve got to worry.”
That sentiment was echoed by experts from business, the cybersecurity industry, and government intelligence and law enforcement agencies. While the picture they painted was grim, all the speakers were optimistic that the situation would improve over time. The speed of that improvement, though, is dependent on organizations changing the way they approach cybersecurity.
Processes and attitudes need to change, the experts agree. More effective means of protecting data and assets are well within the reach of most organizations. Their advice follows.
Do the cybersecurity basics well
Many companies are not consistent at doing what Joyce calls “the basic blocking and tackling of security, whether it’s patching, having a good architecture, understanding in advance where the threats are, having logs, monitoring, watching and dealing with it.” He and other speakers urged companies to review their policies and put processes in place that ensure the systems are working as they should be.
At the very least, organizations should be following the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Doing so is not a guarantee against a breach, but it demonstrates a “duty of care” that can reduce liability should a breach occur. “If you do all the things you should be doing to protect the network, like following the NIST framework, and still get breached, the chances of being penalized are less,” said Mike Gregoire, CA Technologies chairman and CEO, at the Cambridge Cyber Summit.
Organizations will not be able to do security basics well unless they embrace the process. At the Cambridge Cyber Summit, Mark van Zadelhoff, general manager of IBM Security, said he sees a “cultural shift to treat [security] like programs around safety—a Six Sigma approach to security hygiene.” He believes such an approach will better enable organizations to cope with the rising sophistication of hackers.
Know what hackers will value
“People don’t realize where value lies in their companies,” said Jeffrey Tricoli, section chief, Cyber Division, Federal Bureau of Investigation (FBI), at the InfoSecurity North America event. “Hackers’ valuations [of your assets] are better.”
For example, a company may have strong protections around customer data, but not around the communication channels with those customers. Those channels could become a means to access customer systems and assets. If you know what attackers are likely to go after, you know where to focus your security efforts.
Learn how the entire organization will respond to a breach
Most organizations have response plans should a breach occur, but not all of them go through the exercise of a fake attack. How will everyone—not just the security team—react when what van Zadelhoff calls the “boom event” occurs?
He recommends running simulations of a real attack where worst-case scenarios occur. That experience will not only help counter an actual breach when it occurs, but improve processes for communicating with customers and other affected stakeholders.
Practice good password hygiene
Password reuse means if one account is compromised, others where an individual used the same password are also at risk. “The best thing you can do is not to reuse passwords. As you hear about these breaches, what that means is you’ve been compromised at that company. But what [the attackers] often have is your account and the password you used. If you are reusing it at other sites, they can access you at those other sites,” said Joyce
Another poor practice is using keyboard patterns as passwords. While this approach makes passwords easier to use, hackers keep lists of them in their password databases. That means they can be as easy to crack as using “password” as your password.
Go to two-factor authentication (2FA)
The consensus among all the speakers was that the traditional username/password authentication is no longer an effective deterrent. They urged businesses to use 2FA if they aren’t already—for example, sending a code to the user’s cell phone. “Having a thing you possess and a thing you know is a really powerful tool of protection,” said Joyce. He added that 2FA is becoming the government’s best practice.
What’s holding back 2FA from being more widely used is consumer resistance. It adds another step to gain access, degrading user experience. “Two-factor authentication is the minimum standard,” said Gregoire. “It’s a pain, and that’s what happens with consumer applications. There are ways of protecting people. The problem is the customer experience is difficult, so we tend to shy away from [2FA].
Don’t use Social Security numbers as identifiers
The Equifax breach raised awareness of the vulnerability of everyone’s identity due to exposed Social Security numbers (SSNs). “I feel really strongly that the SSN as an identity or even worse as an access control is just a horrific idea,” said Joyce. “It evolved that way over time and it puts us all at risk.
“A SSN is an identifier that when you use [it], you’re actually putting yourself at greater risk because now people who steal that identity have access to your financial capabilities,” said Joyce. “Why should something you have to write down on a form and give to third parties transmit openly, allowed to be stored in filing cabinets and in records all over the country, even all over the globe — why should that be the thing that allows access to your financial records? We’ve got to move beyond it.”
Hold supply chain/value chain partners to a high security standard
Third-party providers of components and services are increasingly popular attack vectors. Many of them are small companies with weaker defenses than their larger customers, but they often have direct access to customer systems. That’s a problem, because weaknesses in the supply chain are often off security teams’ radar.
As CSO of the global value chain at Cisco, Edna Conway has to understand the threat landscape across Cisco’s value chain. That starts with knowing who all the players are. “If you don’t know who is in your value chain, you have gaps,” she said at the InfoSecurity North America event.
Knowing all the players makes it easier to identify where the biggest risks are and, in the event of a supply chain breach, which supplier was the source. “Provenance [of components] is difficult with digital, virtual products,” said Conway. An ASIC provider, for example, might source from someone else’s foundry. “The map can get daunting,” she said.
Conway also recommends that companies perform an end-to-end assessment of third-party security capabilities. You will need to balance tolerance levels for risk with the value of the relationship. For example, if there are few or no alternatives for a given supplier, you may be forced to accept a higher level of risk.
Prepare for more ransomware attacks
Ransomware attacks will increase in number, sophistication, and cost to business because they are highly profitable for attackers. Cybercriminals now act more like a business. Experts agree that ultimately the best deterrence for cybercrime is to make it more expensive. “We’ve got to understand as a nation how we are going to change the cost-benefit for cyber malfeasance,” said Joyce.
Organizations can take steps to increase the cost of doing business for ransomware attackers. Ransomware is becoming one of the biggest revenue generators for cybercriminals because too many victims pay. Government guidance has been to not pay the ransom, as many who do never get their data back. However, Joyce admitted that ultimately it’s a “personal decision you’ve got to make based on the situation.”
Employee training is also key. It’s true that employees sometimes click on links they shouldn’t even though they received training, but all speakers on this topic agreed that ransomware education makes a difference and should be ongoing.
While antivirus software is notoriously bad at detecting most ransomware attacks, new tools for detection and prevention are becoming available. At InfoSecurity North America, Cybereason CISO Israel Barak invited attendees to download its free Ransomfree tool.
Ransomfree works by focusing on the one thing all ransomware has in common: It encrypts files. The tool looks for abnormal file encryption processes and claims a 99 percent protection rate, and it works with fileless attacks. Why is it free? Cybereason requires anyone using Ransomfree to allow their systems to send any detected ransomware code to Cybereason’s servers. In other words, Ransomfree users become data collectors for Cybereason’s research efforts.
Automate where you can
Cyber adversaries are using highly automated tactics, leveraging the low cost of computing power and availability of sophisticated tools, according to Mark McLaughlin, Palo Alto Networks CEO, at the Cambridge Cyber Summit. Organizations have plenty of technology in place, he added, but not enough people to use the tools.
o compete with the bad actors, McLaughlin urged companies to, “Get automated. Drive for a highly automated, orchestrated solution with leverage.”
That’s easier said than done. McLaughlin estimated that the average company has 64 security solutions in place from multiple vendors. He expects more solutions and vendors to appear in the next few years. However, he also foresees platforms to emerge that will help manage them all and enable more automation.