Cybercrime’s a global pandemic, and no organization, large or small, is immune. When everyone’s at risk, everyone’s responsible. And how they handle this responsibility has global implications.
If there’s any good news, it’s that everyone’s in it together. By making “Think Global, Act Local” the theme of its 2017 Cybercrime Symposium, Sage Data Security issued a call to action. Every organization’s charged with investing in the right people, training, technologies, and services to protect themselves, while striving to be an asset to a global community where collaboration’s critical.
“Today, cybersecurity’s a collaborative sport,” said presenter Don Anderson, CIO, Federal Reserve Bank of Boston in his presentation. In the past, banks balked at participating in FED-sponsored information-sharing groups for fear of giving competitors a leg-up. The reality’s far worse, said Anderson: “If a bank’s taken out by a cyber event, the one down the street’s going to get hit as well.”
And while national cybersecurity policies are continually evolving, said Robert Mayer, VP of Industry and State Affairs for the USTelecom Association, government agencies are benefiting from the industry-driven NIST framework and resources like USTelecom’s 2018 Cybersecurity Toolkit. Oversight groups continue efforts to improve NIST, he said, “to make sure the framework continues to evolve in a way that industry's going to feel comfortable embracing.”
So buckle up, and check out other key takeaways from Sage’s filled-to-capacity symposium:
Don’t Be a Weak Link
Cybersecurity doesn’t stop with CISOs or infosec teams. Every individual, from board members to executives, employees, partners, and suppliers, has skin in this game. When one person can bring down a company, conglomerate or country, the cybersecurity community can’t tolerate weak links.
Thus, there’s a new security mindset whose pragmaticism supplants the inflexible idea that prevention alone can secure operations, said Sean Sweeney, CSA of Microsoft’s Enterprise Cybersecurity Group, who detailed ways that evolving mindsets and the practices they dictate strengthen security.
Traditional prevention-only strategies weaken security postures. When SOCs miss that inevitable breach, it can hang around for several years. Instead, strong security teams have an “Assume Compromise” mentality.
“My job as CISO is to invest properly in protect, detect and response controls,” he said. “Then, when protective controls fail, I fall back on detection and response controls.”
You Got Money? We Got Malware
The diversity of cyber-actors today translates to astounding agility. Now, this gang of thieves includes a new criminal element. They are, in essence, cybercrime dilettantes. Today, any Tom, Dick, or Harriet can be a cybercriminal. With target in mind and money in hand, they simply hire experts to do the job.
Presenter Raj Samani, McAfee fellow and chief scientist, addressed the rapid rise in cybercrime-as-a-service, whose providers operate like any other business, working with channel partners, and offering support, warranties, and SLAs.
“Today's cybercriminal requires no technical knowledge — just the means to pay,” he said. “If you want to bring down one of your competitors, you can do it for less than the price of a cup of coffee.”
A Walk on the Dark Side
Increasingly, these providers and other cyber-actors play their trade on the dark web, leveraging its anonymity, restrictive access, and other advantages.
RSA’s Neil Wyler, a threat hunter who spends a lot of time embedded in this virtual Wild West, served as tour guide in a presentation that educated attendees on darknet resources — underground versions of popular Internet tools, including browser variations, search engines, social networks, and hacker forums. A thriving marketplace sells illegal products and services, including cybercrime services and toolkits of every flavor.
Speak Up, Simulate, and Share
Growing attack sophistication, ever-changing technology, and unpredictable employees — what’s a CISO to do? A lot, actually. Some advice from key presenters:
Mandate security-awareness training and measure its success.
Quincy Jackson, a red team lead whose job is to emulate bad guys to gauge his employer’s cyber-readiness, recommended that CISOs set goals for awareness programs, track them, and when met, incrementally raise the difficulty quotient.
“Some companies are very aggressive,” he said, blocking employee Internet access if, say, their frequent phishing victims. “It becomes a safety issue because offenders are a risk to their companies.”
Don’t just talk about incident response — run simulation drills.
For most organizations, their incident response plan is just a “tabletop exercise, where everyone sits around a table and talks about what they’d do,” said emergency management consultant Regina Phelps. Using an exercise co-designed with Sage experts, Phelps directed teams of attendees through a simulated incident response scenario involving a ransomware attack.
Why have we not seen a CISO rise to the ranks of CEO? To illustrate the importance of ongoing communication between security pros and business leaders on cybersecurity matters, Summer Craze Fowler played off that question, raised earlier by McAfee’s Samani. A technical director in Carnegie Mellon’s CERT program, Fowler presented her theory: “Information security professionals are really bad at translating tech speak into business speak.”
She named a couple of the many reasons it’s critical that they discuss cybersecurity issues in business language. “You want to drive behavior based on the information you’ve gathered and inform decision-making.” In addition, mastering the language will pay off as more boards realize the cyber-threat risk and ask CISOs to give presentations that convey their cyber-security posture and risk level.
This is the first in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!