The Year Ahead In Cyber Security: What You Need To Know

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/karstenstrauss/2013/12/22/the-year-ahead-in-cyber-security-what-you-need-to-know/

2013 was a watershed year for cybersecurity and digital secret-keeping.
Revelations about the way our data is treated once it leaves our browsers
and mobile devices, the actions of hacker collectives, the dismantling of
the ostensibly bullet-proof Silk Road online marketplace, White Card scams,
Megaupload’s reincarnation as Mega…

But what does the average business need to know about keeping others locked
out of private affairs or business dealings?

Eric Friedberg – former computer and telecommunications coordinator for the
U.S. attorney’s office of New York and co-founder of security consultant,
Stroz-Friedberg – says the need for security is not in question, what’s
worth thinking about is building your digital barriers in the most
efficient manner possible. “For small to medium companies the challenge is
normally budget.”

Companies on a budget need to focus on the most sensitive areas and place
priority on protecting them. To that end it’s best not to skimp. “We’ve
seen many a midsize company come close to extinction because a major attack
happens,” says Friedberg. “After the fact they put lots of security in and
you can be sure that in retrospect they wished they’d committed the budget
that they didn’t think that they had before the attack.”

Small and midsize firms may wonder why hackers and cyberthieves would be
interested in breaking into their systems but, according to Friedberg, one
company’s money is just as green as the next’s, regardless of size. “If you
have a small credit card processing firm, for example, the fact that it
only has a million credit cards as opposed to 100 million—hackers are happy
with a million credit card numbers.”

So what can you do to protect yourself? The first step, apparently, has
nothing to do with security software at all. “We find that before you get
to the technological vulnerabilities, the thing that makes companies weak
is the lack of a good governance structure,” says Friedberg. “Governance
structure meaning owning the cyber security problem at the very top of the
organization; making budget and architecture and cultural decisions as a
leadership group and then also having the proper balances and controls such
as having a CISO (chief information security officer) as an independent
voice to assess risks separate from the CTO function.”

Taking those kinds of steps saves a company CTO from feeling pressure to
cut costs by downgrading the security system. “They don’t want to air
problems that they have for fear of that reflecting badly on them,” said
Friedberg. “They don’t commission really vigorous third party ethical
hacking and penetration testing. I can’t tell you how many companies we go
to where they just go get a cookie-cutter penetration test just to say that
they did it and it sheds no light on their real vulnerabilities.”

The philosophy to adopt is one that assumes your company’s digital walls
will be compromised at some point. To that end, a firm’s security system
should include intruder detection and network segmentation that protects
the most valuable data in a more fortified part of the network.

Hacking generally comes in four forms: state sponsored espionage, organized
crime for financial gain, the insider threat and politically motivated
hacktivists. In 2014, Friedberg does not see state-sponsored actions
abating at all. Russian and Eastern European organized crime groups will
continue to compromise banking and business security through Trojan Horse
penetration programs. “It’s a cat and mouse game and these attackers are
very smart, savvy and creative.”

Hacktivism may see a drop due to advances in the effectiveness of law
enforcement, but the middle east could see an uptick due to political
turbulence in the region. “We’ve seen increased activity every time one of
those things flairs up,” says Friedberg. Insider threats are harder to
gauge. “If anything it probably increases when the economy constricts
because there are more layoffs and more disgruntlement and more destructive
activity by insiders.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.