I recently had the opportunity to visit SecureWorld Atlanta 2017, where I met a number of industry experts and attended several sessions. One of those sessions was a panel discussion titled, “Hazards on the Horizon – Emerging Threats.” The panel of CISOs discussed both the current cyber threat landscape and offered advice for keeping networks and systems as secure as possible during this era of frequent cyberattacks. Each of the five panelists was asked to provide their one key piece of advice. Here’s what they said:
Tip #1: Think Beyond the Audit
The first panelist mentioned this idea multiple times during the session. He cautioned that true vigilance extends beyond security minimums. Too many organizations, he said, are building their solutions around audits and meeting baseline requirements. “Demands and pressures are driving product change within organizations; on the outside are financially motivated cybercriminals,” he said. “Checking boxes won’t do it in terms of security.”
Tip #2: Framework First
The second CISO stressed the need for a strategic security framework, one that is elastic but focused on people, processes, and technology. He said that from a vendor perspective, organizations should focus less on “best of breed” and more on integration. “One vendor can’t have the best threat intelligence at every point in the kill chain,” he advised. “Think more about integrated toolsets, with pieces that truly work together to give you what you need.”
Tip #3: See, Segregate, Secure
The third panelist was firm about the need to have visibility into networks and systems. “You need to know what’s talking to what, separate and segment, and encrypt everything else,” he said. With a nod to his fellow CISO’s point about framework, he noted that IT teams should focus on creating an ecosystem in which pieces talk to one another and limit the number of consoles attached to networks when possible.
Tip #4: Segment or Suffer
In a follow up to the third panelist’s tip, the fourth CISO stressed the need for network segmentation. “Huge portions of security lie outside of compliance,” he warned. He specifically called out cloud traffic and morphing malware and ransomware as ongoing threats. He also mentioned the dangers related to shadow IT — those information security applications and solutions that are deployed within a network unbeknownst to infosec teams — and reinforced that segmentation can help limit the negative impacts of these stealth systems.
Tip #5: Get Back to Basics
The final panelist reiterated a point he had made earlier in the discussion: that organizations needed to focus more on security basics in order to best manage the push and pull of everyday business. “The balance between connectivity and productivity is very difficult,” he said. “We need to recognize that the business always wins and position ourselves better to manage the risks that we know are going to come from that.”
He contrasted the policies and procedures of brick-and-mortar locations with those of online systems to emphasize his point. “In banks and other physical locations that hold valuables, there are vaults and keys and access restrictions and definitive logs,” he said. “In the digital realm, we are a lot more lax.” He cautioned that too many organizations are not locking down sensitive and confidential data and systems, and they are not explicitly aware of who is accessing those important assets and when they are being accessed.
“Cybersecurity best practices are easier said than done,” he admitted. But he stressed the need for organizations to be more in tune with tracking user privileges and managing credentials.
More advice on making the most of your security awareness and training efforts.
Bonus: On Ransomware and End Users
No panel discussion about cybersecurity threats would be complete without mentions of ransomware and end users. The panelists agreed that ransomware infections are not likely to cease, but they cautioned against losing sight of even more persistent cyber threats. “It’s important to recognize that most ransomware wants to be known. It shows itself,” one CISO stated. “The scariest infiltrations are the ones that don’t want to be known, that hide on the network doing whatever they like.” (For more thoughts on how ransomware could morph into being both an immediate and lurking threat, check out this post by Wombat’s Chief Architect, Kurt Wescoe.)
That said, all panelists agreed that end users are an often-overlooked (and minimized) factor in risk management strategies. “It always comes back to the end user,” a panelist noted. In particular, they cautioned against underestimating the pervasiveness of password reuse and the potential for cybercriminals to use readily available tools and information to craft sophisticated, personalized attacks that are designed to trick users. One CISO jokingly reminded the audience, “What’s the difference between phishing and spear phishing? LinkedIn and Facebook.”
This just emphasizes the need to not only tell users about the threats that are out there but to educate them to recognize and avoid attacks and to apply fundamental best practices. Ongoing security awareness training is the most effective way to keep cybersecurity top of mind for end users and create a culture in which cyber hygiene becomes a daily habit rather than an occasional topic of conversation.