Help create tar-pit cyber security for your organisation
James Scott , February 19, 2016
HR departments must seek to protect their own sensitive data and educate the wider organisation
The cyber security industry is riddled with faux experts and talking heads that stir fear in the public through regurgitated quotes, in order to serve their special interests. Their tirades, beginning with rants containing phrases like ‘Cyber Pearl Harbor’ and ‘we are in the midst of cyberwar', typically come from someone with little, if any, information security background. Do we face sophisticated and stealthy adversaries in cyberspace? Absolutely. However, contrary to the vitriol spewed by these alarmist personalities, adherence to a few best practices can thwart most attacks.
Cyber security is not necessarily about stopping hackers at the front door. No amount of physical, administrative, or technical controls can stop a persistent threat. With enough resources and effort any attacker can breach any system. Cyber security focuses on resilient defences, which deter undedicated adversaries, slow inbound attacks, and provide time to detect and respond to the threat.
The US Office of Personnel Management (OPM) breach last year brought the necessity of organisational cyber-reform to the fore. Public and private organisations alike would do well to heed lessons from OPM’s mistakes. Your business should have a dedicated information security team, which is separate from the IT department, that focuses exclusively on organisational cybersecurity.
The information security team will be responsible for facilitating quarterly risk analysis on the network and staff, updating application patches, conducting continuous penetration testing on current networks and devices, and managing the physical, technical, and administrative controls pertaining to staff and third parties who have access to your network. The info-sec team will manage ongoing training where other employees will learn about the latest threats to your industry and organisation as a whole and how they can thwart attack.
In the technology sphere there are many charlatans trying to sell you an illusory ‘comprehensive’ strategy consisting of archaic solutions and antiquated technology. Adversaries easily breach these systems. The solution is to know what technical controls your organisation needs, to acquire those systems from reputable vendors, and to implement them according to the security requirements of your network.
As you are constructing your cyber defence visualise a tar-pit scenario. You want to slow down a breach so that it can be detected and its impact mitigated. Start with multi-factor authentication and strong passwords with 12 to 16 uppercase and lowercase letters combined with numbers and punctuation, and change them each month. Anti-virus, intrusion detection/ prevention systems, and a solid firewall are the foundation for technical cyber security. But many companies start there and fail to build a more resilient defensive posture upon this foundation.
Next take control of your email. The OPM breach, like most, was extremely simple and started with a malicious link or attachment that downloaded malware that recorded keystrokes to gain legitimate user credentials. Then the adversary moved laterally through the network by masquerading as a legitimate user, elevating user credentials to the admin level for unbridled access to inject fraudulent data and create additional footholds for future access. Always confirm that links are safe before clicking and if there is text with a hyperlink hover over it to confirm the link before clicking.
Remember to set your social media accounts on their highest level of security so that only people you have confirmed you know can see your posts. The more information the adversary can obtain about you the more targeted and clickable their spear phishing attacks become. Invest in user behaviour analytics (UBA). If an attacker should penetrate your network UBA will detect the abnormalities in their behaviour and flag this with info-sec team.
Last, but not least, data should be encrypted while stationary, during transactions, and while in transit. An attacker who has penetrated your network will have a difficult time moving around if they cannot see what they are doing. Encryption places a blindfold on the digital eyes of the hacker and slows them down tremendously so that UBA can detect their presence. For forms with multiple fields your info-sec team should use a different encryption algorithm for each field.
The task of creating a corporate culture that includes better cyber security practices can be daunting, but it does not have to be. A techno tar-pit is the first step in protecting your organisation. The creation of an info-sec team and the employment of anti-virus, advanced firewall, multi-factor authentication, spear phishing awareness, multilayered encryption, UBA and continuously updating patches to vulnerable applications, will eliminate 99% of the vulnerabilities that hackers seek to exploit.
James Scott is senior fellow and policy advisor at the Institute for Critical Infrastructure Technology, a Washington DC based cyber security think tank