View
405
Download
0
Embed Size (px)
Citation preview
Discussion Summary
Information Security in the Digital Economy
Introduction
A gathering of information security leaders took place recently at the Royal College of Surgeons in
London, hosted by HP and FireEye. Perspectives from a variety of industries were shared in respect
of the growing strategic importance of security, both prior to and post breach.
This paper provides an anonymised and aggregated overview of the points raised and makes
recommendations on how organisations can be proactive in respect of security management.
Where are we?
Looking first at the current situation. Technology advances and increased interconnectedness are
conspiring to raise the spectre of security breaches. So much so that it is now a boardroom issue.
Sony, Target, The US Office of Personnel Management and Ashley Madison come to mind.
For unscrupulous actors and even nations, it is easier and cheaper to steal the intellectual property of
others rather than invest in one’s own research and development. Big and innovative organisations
are attractive targets. Corporations, organised criminals and governments are amongst the
perpetrators.
Identity theft is on the increase. As is identity exposure (Ashley Madison). The former can be
financially expensive, the latter can be emotionally devastating.
It is generally recognised that perimeter security is no longer the focal point of information security.
Could it get worse?
From an information security perspective, it is far from a steady state. Threats to organisations and
nation states are significant and evolving. Breaches are accelerating in terms of sophistication and
impact. The increasing clock speed of business is not helping. ‘Fast and loose’ is becoming
necessary to stay competitive, putting more pressure on the security architecture. Plus young people
are less diligent in respect of privacy and this inadvertently creates hacking opportunities. Increasingly
the value in organisations comes from creativity. Creative people tend to be process averse, and as
such they will increasingly be a security risk.
Governments, corporations and organised criminals know the value in your data. Plus they see your
IT infrastructure as the access channel. Many organisations are unaware that they have been
breached. The average detection period is over 200 days after the initial breach. High profile cases
have durations of seven years, such is the growing sophistication of the hackers. Unfortunately there
is a correlation between ensuing damage and the period prior to discovery.
The ‘hacking industry’ is very mature with an already established collaborative ‘supply chain’.
Specialist organisations will focus on acquiring data or creating a ‘backdoor’ without any specific goal
other than to sell their work to other parties who do have a specific agenda in respect of the
compromised organisation.
It is also increasingly likely that the threat is on your payroll. The increasing trend towards the use of
freelancers will compound the problem, as the transient profile of the workforce provides ideal
conditions to operate from within the target organisation. The risk posed by a malicious insider
cannot be overestimated.
Discussion Summary
Poor, and increasingly digitised, processes and the associated inter process design creates
vulnerabilities. And when the inevitable attack takes place the current lack of international
coordination in respect of threat response impedes the response.
As well as using ‘insiders’, suppliers can also provide soft entry points. Attackers appear to be patient
and so are willing to play a longer game. Hybrid attacks, made up of internal staff working with
external agencies, are also on the increase.
Hackers are getting more sophisticated building malware into the tools used to develop application
software. ‘Zero day’ attacks are on the rise, so the question is not whether you will be attacked but
how quickly you can respond to the inevitable. The proliferation of user devices coupled with the rapid
advances in personal technology increases the associated risks. Once in, the hackers are very
opportunistic. Vulnerabilities can be exploited within seconds of the opportunity arising.
At the same time, the traditional trade craft of hackers is still a threat. Capitalising on human nature,
by exploiting publicly available social network data through spearphishing is a popular, simple and
effective way to compromise organisations.
To thwart security management, hackers are increasingly embracing counter forensic practices to
cover their tracks.
Skills wise, there is a shortfall globally in the level of security expertise available to help organisations
counter this challenge themselves.
What are the implications?
The upward trend in exploits and exploitation methods is having serious repercussions on the victims.
These include:
Damage to corporate brands and the share price.
Senior executives are being sacked and even being sued personally.
Cultural breakdown as staff wonder whom of their colleagues is not to be trusted. In nationally
diverse cultures where some foreign nationals can be levered by their governments, this will
be more acute.
Massive strategic redirection. A focus on upcoming IPOs can, with one breach, shift towards
how to wind down the organisation with minimum damage.
Legal costs. Compromised security is a cash cow for lawyers. A poor response can prove
very costly.
Comprised organisations often, incorrectly, blame their security experts, and consequently
lose their security talent, leaving the organisation even more exposed.
What can we do?
The perfect scenario would be to model your business on the former Alcatraz prison, highly
compartmentalised with minimal access to the outside world. But unfortunately such a model would
result in a strategic tailspin in the digital economy. Nonetheless you can still take pragmatic action to
avoid / minimise the associated of being compromised.
Here are some recommendations:
Recognise that threats are inevitable and that it is quite possible that you are currently
compromised.
Be fully compliant in respect of your industry’s expectation. But understand that compliance is
unlikely to suffice in respect of eliminating security threats.
Asset management is critical coupled with an overarching security framework.
Focus on securing the content rather than securing the end points. Classification
management is important, though do so in such a way that does not make the hacker’s life
easier.
Discussion Summary
Educate the boardroom in respect of information security management. This means they
must be cogniscent of the risks and the appropriate level of cultural, process and technology
investment required. Be clear on who owns the response once the threat is detected.
Educate all stakeholders including the staff, supply chain and customers as to the threats and
necessary security policies and behaviours.
Develop a security architecture that compartmentalises the threat and is sensitive to
anomalous behaviour.
Ensure the basics are in place, such as encryption, strong access control and identity
management.
Your security plans need to take into account immediate, near future and over the horizon
timeframes.
Regularly review the actors who would be interested in compromising your business.
Consider both the why and how.
Be clear on attribution before launching a counter offensive.
Understand that in the fog of war, strong leadership is required. As is a well-rehearsed
response plan.
Understand that in the fog of war, the manner and extent to which you communicate the
threat to the public will determine the associated fallout.
Develop a business intelligence approach that enables prediction of likely attacks.
Conclusion
The hackers are increasingly organised and state sponsored. A proactive approach to security will not
necessarily make you watertight, but it will minimise the associated damage.
This is a boardroom issue, and thus it presents an opportunity to increase your boardroom relevance.
Security is not a department but part of the organisational fabric that embraces both infrastructure and
people.
It also presents an opportunity for your organisation to turn the security investment into business
value. Robust security governance, including a well-drilled response plan, pleases analysts and
investors. It strongly contributes to the levels of trust between your organisation and its suppliers,
customers and staff. In short it becomes part of your brand promise.
Ade McCormack
www.ademccormack.com
About the author
Ade McCormack is a near futurist, digital economy advisor, keynote speaker and author. He is a
columnist with CIO magazine, and a former columnist with the Financial Times, focusing on digital
leadership.
His experience extends over three decades and almost thirty countries across many sectors. He has
written a number of books, including one on the future of work (Beyond Nine to Five – Your career
guide to the digital age). He has also lectured at MIT Sloan School of Management on digital
leadership.
For more information on Ade, please visit www.ademccormack.com.
About HP
HP enables organizations to take a proactive approach to IT security, disrupting the life cycle of an
attack through prevention and real-time threat detection. With market-leading products, services and
innovative security research, HP Security brings a global network of security operations centers and
more than 5,000 IT security experts to help customers strengthen their security posture to minimize
risk and incident impact. HP creates new possibilities for technology to have a meaningful impact on
people, businesses, governments and society. With the broadest technology portfolio spanning
Discussion Summary
printing, personal systems, software, services and IT infrastructure, HP delivers solutions for
customers’ most complex challenges in every region of the world.
About FireEye Inc
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time
threat protection to enterprises and governments worldwide against the next generation of cyber
attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based
defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat
Prevention Platform provides real-time, dynamic threat protection without the use of signatures to
protect an organization across the primary threat vectors and across the different stages of an attack
life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic
threat intelligence, to identify and block cyber attacks in real time. FireEye has over 3,700 customers
across 67 countries, including 675 of the Forbes Global 2000.