We Have No Choice. We MUST Make 2017 the Year of Cybersecurity

By Sean Martin, CISSP

The official start to the new year has come and gone. Some of us set New Year’s resolutions and stuck to them, some of us set resolutions which have already flown out the window – and for the rest of us, our resolution was to not even make resolutions. Why bother, right?

Regardless of which category you fall into, as a society there’s one action we can no longer afford to ignore: good cybersecurity practices.

Unfortunately, 2017 won’t be the year that the number of cybersecurity attacks takes a dip. But we feel strongly that if we get back to “nuts and bolts” tactics and rely more on simple methods to close security holes, more businesses will be spared. When you look at recent high-profile attacks, most originated from a past flaw whose patch was released months or even years ago but wasn’t properly applied to the attacked company’s system.
— Dana Epp, CTO, Kaseya

We can learn from our past mistakes so that we are not doomed to repeat them when our old ghosts suddenly show up to haunt us.

We can expect ghost hacks from prior years to continue to haunt us in 2017 – likely in even bigger numbers than has occurred so far (in terms of incidents, not records). It’s more than likely that new breaches occurred in 2016 that we may not even learn about until 2018 and beyond. Alleged breaches are often only detected when leaked information surfaces on the web, with elapsed time playing a major factor. If enterprises are able to promptly detect breaches, then a lot of the damage can potentially be avoided.
— Amichai Shulman, CTO, Imperva

Rather than lower the bar on preventing cyber risk so that everyone makes it, let’s raise our standards to show other businesses what is possible, like the financial services sector.

Businesses who take steps to mitigate cyber risk across their supply chain will raise security standards for other businesses and heighten accountability. This pattern has begun to emerge in the financial services sector, where many organizations have taken deliberate steps to reduce the likelihood of data breaches. If organizations across all industries mirror this approach, data breaches will not be the assured phenomenon as they appear to be today.
— Stephen Boyer, CTO and co-founder, BitSight

As with that New Year’s resolution to finally learn oragami – those paper birds aren’t going to artistically fold themselves – we need to take action in order to get the results we want when it comes to preventing data theft.

As data breaches, issues of lawful hacking and surveillance become mainstream concerns, firms can support user privacy and protect against identity fraud by using encryption to prevent the worst impacts of data theft and loss.
— David Berman, Senior Director, Product Marketing, CipherCloud

Vigilantly improving cybersecurity is especially important when we realize just how much of our lives are connected to the Internet of Things (IoT): 17.6 billion devices, from the innocuous smartphone to life-saving medical devices.

If we can thwart some of the lethal attacks from hackers against connected cars or connected medical devices we could potentially save a few lives.
— Mandeep Khera, CMO, Arxan

Smart organizations will improve their security strategy for 2017 rather than continue to rely on outdated solutions that no longer work efficiently.

Many organizations have been buying trends, rather than mitigating risks, and continuing to use outdated solutions out of commitment to a defense-in-depth strategy that no longer serves them. Antivirus is a good example. Security experts have been publicly stating that antivirus has lost its efficacy, ever since Imperva’s study was cited in The New York Times three years ago. Add to that, threat alert fatigue. In a December 2016 McAfee Labs Threats Report study, 93 percent of 400 security professionals reported that they aren’t able to triage all relevant threat alerts. Between trying to find the needle in the haystack and running around like the little Dutch boy plugging the dike with his finger, they’re suffering from burnout. We predict enterprises will try to improve usage of their existing security arsenal in 2017 and smarter organizations will rethink their strategy in general.
— Amichai Shulman, CTO, Imperva

The human factor is always the weakest link in the security chain, so no one is exempt from responsibility when it comes to our society’s security.

Users are the Achilles’ Heel of security – attacks from authorized insiders will continue to grow and get more sophisticated due to their ease of execution.
— Mark Bloom, Product & Partner Marketing, Security & Compliance, Sumo Logic

From personal relationships to business transactions, trust is the cornerstone to security. Don’t take it lightly.  

Consumers need to feel that organizations they entrust their sensitive data to – banks, insurance companies, healthcare providers – are going to implement reasonable data protection and security controls. Without trust, companies will become irrelevant.
— Mark Bloom, Product & Partner Marketing, Security & Compliance, Sumo Logic

Let 2017 be the year you make and keep your New Year’s resolutions – from finally giving up your Hammer Pants, fanny packs and anything with shoulder pads, to protecting your business, customers and society as a whole.

Given the current state of cybersecurity and the critical need to do a better job at preventing malicious attacks in this IoT world we now live in, ITSPmagazine went straight to the industry experts for recommendations on what we can all do to make 2017 the year of cybersecurity.

1) Get Back to the Security Basics

What needs to happen: Organizations need to stop allowing unstructured data to be unprotected when it accounts for about 80% of most organizations’ total data.

Who should do it: Every security-minded organization.

Recommendation: “The first step is gaining visibility into unstructured data – knowing who has access to it and what they are doing with that access,” says Adam Rosen, VP, Data Access Governance Solutions, STEALTHbits Technologies. “Armed with this information, the next step is establishing a Data Access Governance program to limit the amount of unstructured data, as well as access to it. Step three is obtaining visibility into Active Directory and Windows Operating Systems.”

According to Rosen, taking these steps will ensure that all passwords, configurations and settings align with security best practices.

“That can mean removing inappropriate access rights in Active Directory and fixing improperly configured systems so attackers can’t obtain the privileges needed to seriously compromise credentials, data, and resources,” adds Rosen.

2) Replace Passwords with Passphrases

What needs to happen: Make passwords longer by turning them into passphrases. For example, the password “killbots2017” could become the passphrase “IamGoingtoKillBotsin2017.”

Who should do it: The general public.

Recommendation: “Despite a general increase in password complexity, criminals are still using dictionary and brute force attacks to cause security and privacy breaches,” says Stephen Singam, Managing Director of Security Research at Distil Networks. “An easy way to strengthen a password without making it more difficult to remember is to make it into a passphrase. For every additional character, the number of possible combinations increases exponentially. This makes brute force attacks much less effective.”

Singam suggests that this is especially important in light of the latest Yahoo! data breach, where 1 billion users’ information (including phone numbers, birthdates and security questions) was leaked.

“Those pieces of information won’t protect user accounts anymore,” adds Singam.

3) Deploy More Stringent Access Controls

What needs to happen: Authenticate users by Risk-Based Authentications (RBA) rather than Knowledge-Based Authentication (KBA).

Who should do it: Systems Administrators, Cybersecurity Professionals and CIOs.

Recommendation: “Credit card merchants authenticate and approve transactions based on attributes such as credit limits, spending trends and location – a practice that reduces data breaches and credit card fraud much more successfully than authenticating a person via a signature,” says Stephen Singam. “Think about it – when was the last time anyone checked, let alone challenged, your signature at the checkout counter?”

Singam explains that Risk-Based Authentication, which is a risk adaptive mechanism, utilizes risk profiles and matrices as a layer of defense against data and privacy breaches, whereas the Knowledge-Based Authentication mechanism is essentially just another password that could be easily compromised.

4) Revoke Privileged Access for Users Who Do Not Need It

What needs to happen: Protect your crown jewels by controlling access.

Who should do it: Software Developers, Systems Administrators, Cybersecurity Professionals and CIOs.

Recommendation: “Privilege escalation increases the risk of unauthorized users compromising confidential and mission-critical information,” says Stephen Singam. “Software developers must assure us that their software code runs without administrative privileges as much as possible and Systems Administrators, Cybersecurity Professionals and CIOs need to assure us that their applications and systems are patched and updated as soon as possible.”

Singam suggests that by minimizing privileged access, organizations can prevent criminals from installing malicious software and bot programs.

“Unnecessary privileged access can be used to steal confidential and mission-critical information, and to launch botnet attacks on mission-critical systems such as airports, highways, rail transport, hospitals, bridges, the electricity grid, dams, nuclear power plants, and water systems,” adds Singam.

5) Increase Cyber Education and Awareness as a Society

What needs to happen: We need to increase cybersecurity education and awareness to help stem the tide of catastrophic data breaches that are sweeping businesses and impacting consumers.

Who should do it: Federal Government.

Recommendation: “Collaboration between higher education, social media and government is critical,” says Brad Bussie, CISSP, Director of Product Management, STEALTHbits Technologies, Inc. “Imagine a year where a previously crippling cyber breach has little effect because everyone has different passwords for all websites they frequent, multi-factor authentication, and deeper encryption for data at rest and in transit.”

6) Bring Corporate Cybersecurity Awareness Programs to the Next Level

What needs to happen: They can throw all the security solutions they can afford at the security problem, but if the personnel responsible for overseeing those solutions reuse passwords, fall for a phishing attack, or don't know how to recognize the signal from the noise, all those dollars invested are for naught.

Who should do it: CISO / CIO / CRO, depending on the company structure. Basically, whomever is responsible for the internal security of the company or managing risks at a company wide level.

Recommendation: Alvaro Hoyos, CISO at OneLogin, says that this initiative entails improving:

  • Employees' communication channels so they can report suspicious activity in a timely manner; many times the channels are there but employees are unsure to whom or how to reach out.

  • Employees' cybersecurity awareness so they can better recognize suspicious activity; think of it as crowdsourced intrusion detection or malware detection.

  • Curiosity about cybersecurity issues, so there is a culture of collaboration and communication amongst themselves and it is not something that is forced on them from the top down. Foster an environment where employees are concerned about cybersecurity not just for the company, but also for their personal lives.

7) Pay Attention to What Users and Administrators Are Doing

What needs to happen: These solutions are generally referred to as User Activity Monitoring (UAM) and User Behavior Analysis (UBA). This should be a key focus area for 2017, due to the access rights that insiders have to critical PII and IP.

Who should do it: SecOps and LOB leaders.

Recommendation: Mark Bloom, Product & Partner Marketing, Security & Compliance, Sumo Logic, says that what’s required is “An understanding that security solutions are rarely successful in detecting newer, more advanced forms of malware, and that Cyber-attacks today mostly target your users – not your infrastructure. As technology leaders wake up to this new reality, security programs need to be reengineered to focus where true risk lies: with the user.”

It’s not always a case of black and white or on and off. Sometimes the grey areas need some deep analysis.

Bloom adds, “The best defense is to know what typical user behavior looks like – and more importantly, what it doesn’t look like.”

8) Review Security Practices for Vectors Beyond Traditional Things like Networks, Firewalls and Web Applications

What needs to happen: New vectors are mobile and IoT, and we need to ask the question: are we secure in these areas? If not, or if you’re not sure, review and find experts to get the budget and start securing those areas with full urgency because major attacks are coming on this low hanging fruit.

Who should do it: CISO, CMO, Digital Marketing/Mobility groups, and Product groups – separately and together.

Recommendation: Mandeep Khera, CMO at Arxan, says that what’s required is a “[c]ommitment to secure the new technology vectors that are ripe for hacking. You will need buy in from top management to the lowest levels or it won’t happen.”

It may seem like these new technologies are not a target for your company yet, making it easy to postpone the investment to protect them. However, Khera offers a different view for this position.

“In general, protecting against attacks on mobile and IoT infrastructure can save a lot of money and time for our businesses which is always better for the economy. Other blocked hacks can save our IP from being stolen,” he adds.

9) Extend Risk Assessments to Address Third-Party Vendor Risk

What needs to happen: An excellent place for organizations to start strengthening their security practices and controls is with third-party vendors. Businesses of all sizes, across all sectors recognize the immense challenges they face with cybersecurity, and those who develop strong security programs will gain greater trust from their customers (both consumers and other businesses).

Who should do it: Boards of Directors and C-Suite Executives.

Recommendation: “In order to best manage risks in 2017,” says Stephen Boyer, CTO and co-founder, BitSight, “organizations must ensure that their supply chain and business partners are secure. Organizations must be held to a higher standard when it comes to cybersecurity – whether that is defined by their industry or more specifically by business partners they work with.”

Progress needs to be driven from the top down: boards of directors and C-suite executives need to invest in the right technology, the right people, and implement the right policies. In addition, organizations need to create a culture where security awareness amongst employees is heightened.

Boyer adds, “Starting with the following basic security practices is a great foundation: multi-factor authentication, regular patching of known vulnerabilities, sound asset management, ongoing security monitoring, and rapid response and recovery.”

10) Consider 2017 the End of Defense-in-Depth

What needs to happen: The past five years have been a tremendous challenge for security teams – they’ve continually deployed more systems and technologies only to grow increasingly frustrated by new risks and attack vectors. We need to keep in mind that there is no one-stop shopping when it comes to security and to make sure that our technology is always up-to-date.

Who should do it: Security administrators and risk managers.

Recommendation: Says Amichai Shulman, CTO at Imperva: “Develop a comprehensive plan to address your specific business threats rather than the full array of current attack vectors, and finally dispose of dated technologies. Early adopters went through this process in 2016, and are emerging in 2017 with new buying patterns.”

The buying and deployment patterns of the past won’t suffice for the InfoSec programs of the future. Repeating the failures of the past could be viewed as insanity.

“At the beginning of 2016, we felt some complacency among security teams that their investments from the prior year would eventually pay off – that they weren’t going to experience major data breaches,” adds Shulman. “They quickly discovered that no sooner had they completed one security project when a new threat requiring deployment of yet another technology popped up. Showering sales prospects with apocalyptic scenarios, multiple solutions touted by small, nascent security companies, and ‘solution creep’ set in.”

11) Shift Focus from Infrastructure Security to Data Security

What needs to happen: The explosion of cloud computing has made many traditional perimeter network controls irrelevant, so protecting data requires a shift in mindset; from infrastructure to data. Look for tools that provide visibility, policy controls, and strong data protection.

Who should do it:  IT Security, Risk and Privacy professionals.

Recommendation: David Berman, Senior Director of Product Marketing, CipherCloud, says: “First you need to really understand what data is sensitive, where it is going, and who needs to interact with it.”

The tools used to manage the data need to ensure that the protections follow the data regardless of where the data resides; in the cloud or on endpoint devices.

Adds Berman, “Effective encryption will become increasingly important but organizations will have to maintain exclusive control over the encryption process and the keys for it to be effective.”

12) Reduce the Complexity of Internet of Things (IoT) Security

What needs to happen: Because of the convenience that the Internet of Things provides us, it can be easy to overlook security measures that are required to keep the user safe. Keeping it simple will help with security implementation. 

Who should do it: Industry professionals, manufacturers and government.

Recommendation: “Collaboration between the security industry, IoT manufacturers and the government to reduce IoT complexity as well as putting security first,” is what Brad Bussie, CISSP, Director of Product Management, STEALTHbits Technologies, Inc. suggests. “The Internet of Things has already made our lives more convenient, but these same ‘things’ put our security at risk.”

This realization was made painfully obvious at the recent CES 2017 in Las Vegas where sensors, devices, vehicles, and networks were all shiny and new, but lacked the security features cybersecurity professionals would expect.

When it comes to the impact on society, Bussie adds: “Simplifying a universal approach to security will make it easier for decision makers in businesses and in consumer households to implement ‘things’ with simple security measures anyone can understand.”

13) Recognize the Botnet of Things

What needs to happen: According to IoT Agenda, “An IoT botnet...is a group of hacked computers, smart appliances and Internet-connected devices that have been co-opted for illicit purposes.”

Who should do it: Network and systems administrators

Recommendation: “Depending on the adoption pace of IoT,” says Amichai Shulman, CTO at Imperva, “we expect to see two distinct types of trends.

“First, we’ll see a surge in botnet numbers and sizes. From a research perspective, we consider botnets to be on par with residential routers, as most IoT devices sit within home networks and aren’t directly exposed to the web. That said, we’ll likely see a few internal incidents that will ultimately be traced to a compromised IoT device having been (inadvertently) brought within the range of the compromised network.

“Secondly, we’re going to see even more botnet-for-hire activity. Sophisticated botnets are easier to rent than ever before; prices are dropping and sizes are increasing. Being so readily available, anyone can launch a fairly sophisticated attack without having any hacking expertise whatsoever. Where there’s opportunity for mayhem, it happens. We’re not expecting to see improvement in the security of IoT devices, so whatever type of new IoT devices penetrate the market in 2017 are likely to be the next botnet platform.”

Shulman’s suggestions fall into two categories:

  • Consumers: Change the default passwords on connected IoT devices! The default password is not just the equivalent of leaving your door unlocked, it’s like leaving it wide open.

  • Organizations: Clearly the abundance of botnet for hire increases the need for DDoS protection. More organizations of all sizes and verticals are bound to get ransom demands or face network disruption unless they proactively take the right measures. Additionally, compromised IoT devices are going to surface as a new vector for internal compromise, raising the need for insider threat protection strategy.

When it comes to the impact, Shulman goes on to say, “Most connectivity growth is related to the IoT: surveillance cameras, fitness wearables, smart devices of all types, and other connected appliances. Along with their embedded computing and communication abilities coupled with relatively high mobility, they are devoid of professional system or software management. And since default passwords are rarely changed by end users, the devices are ripe for compromise. Mirai-controlled surveillance cameras and ancillary recording devices presented the opportunity this past year.”

14) Don’t Forget the Ghosts from the Past

What needs to happen: Security teams need to be aware of, and vigilant about, detecting more real-time data breaches.

Who should do it: InfoSec teams and their managers

Recommendation: Amichai Shulman reminds us: “While the IoT is shiny and new, other still-viable threats are stuffed into the back of the closet covered in dust. If there’s one thing everyone learned this past year, it’s that breaches – even the largest of them – can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped onto the Darknet in 2016. This means that at least some of it has been circulating for years, as in the recent discovery of over one billion Yahoo! user accounts stolen in 2013. It took three years for Yahoo! to learn of the breach, and only after law enforcement had been made aware of it by a hacker.”

“While enterprises should remain vigilant in preventing exfiltration of sensitive data, they’d benefit from placing more emphasis on timely incident detection. Take a fresh look – don’t let great be the enemy of good. Organizations don’t have to constrain themselves to real-time detection to shorten threat discovery times.”

“Reported in late November 2016,” Shulman adds, “the Madison Square Garden episode is another [data breach] example, having only been detected when compromised data, including cardholder names, credit card numbers, expiration dates and internal verification codes, were exploited by miscreants. While the stolen account passwords weren’t in clear text, a year elapsed between the leakage and eventual detection, giving the attackers plenty of time to crack most of them.”

What Steps Will You Be Taking to Make 2017 the Year of Cybersecurity?

When you break your New Year’s resolution to stop using text acronyms in speech (like that annoying AF phrase TBH), it affects only you. But when you break your resolution to improve your business cybersecurity practices, it affects countless people. With the IoT rapidly integrating into every aspect of life, cybersecurity can no longer be an afterthought.

As Dana Epp, CTO, Kaseya says, “Lack of consistency in our security hygiene opens the door to hackers to walk through and wreak havoc. In the coming year, a greater emphasis will be placed on basic security hygiene like patching systems, installing proper antivirus and antimalware, and backing up systems.”

From replacing passwords with passphrases, increasing cyber awareness as a society, shifting focus from infrastructure to data security, and reducing the complexity of IoT security from the manufacturer to the user, these security experts have given us plenty of recommendations that we can all start following today.