If people think they have effective cyber security, they are almost certainly mistaken.
Let’s look at the results of Protiviti’s 2015 IT Security and Privacy Program. The summary offers four “key findings,” but I found other content far more important.
Protiviti asked, “On a scale of 1 to 10, where ‘10’ is a high level of confidence and ‘1’ is little or no confidence, rate your level of confidence that your organization is able to prevent a targeted external attack by a well-funded attacker.” The answers varied, depending on the level of board engagement, from 6.4 to 7.8, and from 6.2 to 7.8 depending on whether the organization had core information security policies.
This is not a rosy picture. Personally, I don’t see how anybody can have more than a five.
They also asked about preventing a breach by a company insider. The answers varied, depending on the same factors, from 6.1 to 7.7 and 6.1 to 7.5.
Protiviti found a disturbing (but unsurprising) number of organizations that had not identified their “crown jewels” — the information assets they most needed to protect.
This survey has a wealth of information and action items for management.
But have events changed the nature and extent of cyber risk to the extent that Protiviti is not asking the right questions?
Speakers at the recent RSA conference had some interesting and even more disturbing opinions.
And the News Gets Worse
Get used to it?: Mega breaches (sic) tells us:
- 100 percent security is impossible
- Soft targets abound across corporate America
- Defenders need to think about making cyberattacks expensive in terms of time and costs. In so doing, organizations can make it more likely that cyberattackers will turn to other, more vulnerable businesses. “It's like the saying, ‘you don't have to outrun the bear, you only have to outrun your friend'”
- The long-term answer is security analytics, which is an emerging class of technologies that unify multiple security controls, along with threat intelligence, into a cohesive, enterprise-wide approach
The really dire news came in RSA: Cyber-security industry is "fundamentally broken," says Amit Yoran.
The RSA president said: “Infosec is ‘fundamentally broken.’”
- Infosec is an industry that wastes billions of dollars on firewalls and policing network perimeters, things that “make us feel safe” but don't address real problems
- Look at the major breaches of recent memory, said Yoran, and you will find companies that were attacked despite using next-generation firewalls and high-level software that, for all their cost and promise, allowed massive, embarrassing and harmful breaches
- [Current practices are only] detecting advanced threat breaches less than one percent of the time. It's indicative of an industry asleep at the wheel, and if nothing is done, warned Yoran, “it's going to get worse"
Finally, some reinforcement for points made by Protiviti comes in RSA: Insider threats – "People are the new perimeter." I don’t think the author makes the point as clearly as needed: it’s not only that insiders are the attackers, but they are the way that external hackers gain access — through their carelessness, their devices and so on.
One point I did not see stated in any of the above is that an enterprise can be attacked through its extended enterprise — vendors, partners and so on. Sophisticated hackers are learning about the employees, customers and so on. They identify weak points and launch their attacks through them.
A Call to Action
To my mind, the current state of affairs calls for:
- A risk-based approach
- A need to know which are your crown jewels; which information assets need more protection
- Recognition that relying on a perimeter defense is unsound. You have to assume that it will be breached
- The capability to know when you have been breached
- The ability to detect rapidly what damage has been and is being done
- Procedures to deal with a breach quickly, with a response that includes business as well as technology executives
- Constant vigilance and the ability to continuously upgrade defenses
- An investment in cyber-related technology, including the security analytics referenced above
What do you think?