For almost 30 years, I’ve had the privilege to defend some of the most important critical infrastructure organizations in the communications, critical manufacturing, information technology, and financial services sectors that touch people’s daily lives in some way.
Cybersecurity Commonalities across the Different Industries
We live in a technology-hungry society. In general, consumers are happy with the technologies that make their lives easier, but they don't understand the risks and consequences that go along with technology. Cybersecurity is ingrained in almost every single industry and the commonality between them is that the adoption rate of technology continues to far exceed our ability to make sure there's a viable level of safety.
That's our responsibility – to help our businesses understand what those consequences are. Between the last decade, with the cloud and the Internet of Things (IoT), and the next ten years in which we’ll see more machine learning, artificial intelligence and robotics, the natural next step in this evolution is safety. The consistent message for the next decade will be around the fast rate of technology adoption versus safety and privacy. When push comes to shove, we tend to favor the technology over the safety.
Business Challenges with the Cloud and IoT
Many people in the industry get frustrated because the messages haven't changed much. Over the last 20 years, we’ve been hearing the same stories, like “a stolen userid and password was used on another system or site” and “a missing patch was attributed to a breach.” Issues around identity, passwords, privileged access and third-party access are a consistent theme as well.
Another repeated issue is bad application security practices. You hear words like OWASP Top 10 (Open Web Application Security Project) – they’ve been around for over 15 years and have largely remained the same. Only recently two new issues were added, so that makes it the OWASP Top 12 now.
Five Core Issues of Basic Cyber Hygiene
Companies are challenged when it comes to knowing the state of monitoring and detection capabilities, and are even more challenged to detect that they've been breached or intruded upon. Last year the Department of Homeland Security and the National Institute of Standards and Technology (NIST) both put out IoT best practices to assist with better IoT security. Five-to-ten-years ago organizations like European Network Information Security Administration (ENISA) and the Cloud Security Alliance put out guidance and controls that specifically talked about what to do to ensure cloud platforms are safe.
If you watch the news, some of the automotive and biomedical hacks – insulin pumps and pacemakers – have those same five core problems repeatedly. The typical trend is that those five core issues are the afterthought as things are built.
Whether you're a 200-employee company or you're half a million employees strong, your team has to take care of the five core basics:
- Invest in vulnerability patching and make sure user IDs and passwords are properly managed.
- Implement adequate identity access management controls.
- Ensure that you bake in and have routine (if not just in time) application security assessments for the software that you sell and/or websites and services you run.
- Select and implement a set of technologies to help detect and respond to attacks and compromise.
- Make sure that you’re using encryption and train your people to delete information that’s no longer relevant.
Unfortunately, as simple as five steps sounds, this is unbelievably, incredibly hard.
Furthermore, it's more than just a scale problem. If you're in a 200-person company, there are probably two to five people who run the entire IT department and very likely no security person to speak of. So who's verifying those five basic cyber hygiene issues?
You should know what your risks are so you can communicate to both your leaders and your employees, based on where the focus should be and where they can help you. From a risk perspective, all the major security frameworks come with a risk management methodology. Look at ISO/IEC 27001, CIS Controls (formerly SANS 20), and the NIST Cybersecurity Framework as three examples to get started. Apply basic cyber hygiene in the context of your risk and stay diligent. We as an industry need to try to avoid the same breach scenario that happens over and over again.
The Speed of Technology Makes It Difficult to Keep Ahead of the Curve
Take technology like an Amazon Echo, which you turn on, configure remotely through a handheld device, and then it just manages itself. It auto-patches, because when you configure it you authenticate it and you provide secure access to it, so not everybody can just access it by default. Amazon has done a good job of embedding security into the device. Advancements are needed in voice authentication with the Echo, but, in this case, the device is secure by design. Groups that are building technology or capabilities with security by design and privacy by design are the ones that are preparing their technology for mass consumption in this era of the IoT.
If you analyze the big news stories, it's a wide berth from DVRs and baby cams – which I put in the land of the creepy toys – to automobiles and the U.S. drone fleet. Back in 2011 there was malware on one-third of the U.S. drone fleet, yet you figured that military organizations managing weaponized drones carrying bombs or missiles could make sure their technology is patched, vulnerabilities were managed, only authenticated users could access the device, and communications were secure (encrypted). However, they’re not. Therefore, it's not just a matter of simple things or cheap things that are not economically suitable. According to the 2014 Verizon data breach investigations report, 99 percent of all breaches were preventable and were caused by known vulnerabilities with fixable patches – by implementing just one of those five things I mentioned. How come we’re not able to do that?
Stay tuned for Part 2, where Phil explores the need for society to take part in the understanding of the challenges we face while embracing diversity as we work together to tackle them head on.
About Phil Agcaoili
Phil Agcaoili is the CISO of Elavon and Senior Vice President at US Bank. He's the former CISO of Cox Communications, VeriSign and SecureIT, and helped transform security at GE, Alcatel, Scientific-Atlanta, Cisco and Dell.