In cybersecurity, sharp eyes and speed are the new padlocks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbsnews.com/news/in-cybersecurity-sharp-eyes-and-speed-are-the-new-padlocks/

It's distressing to learn State Department computer experts - despite three
months of trying - can't get hackers out of the agency's email system, even
with the government's admirable commitment of money and tech prowess to
cybersecurity. Pair this news with revelations of NSA malware burrowed
within computer hard drives worldwide, and we can conclude one thing: a lot
of old, clichéd security metaphors are obsolete.

Cybersecurity has been sold since the dawn of the PC era with images of
brick walls, iron gates, and steel padlocks. But infiltration cases like
these make those metaphors sound like empty promises. Like Hogan's Heroes
within Stalag 13, both good guys and bad guys have long planted flags
inside their opponents' secure zones, and the security industry knows it.
Time for a new playbook.

The cyberintelligence spyware first reported by the Russian security firm
Kaspersky - with subsequent media stories tying in the NSA - hides deep
inside target hardware, missed by antivirus programs and unperturbed by
eradication efforts. The 30-odd unwitting hosts include Iran, Russia,
Pakistan, Sudan - a grand tour of the world's hotspots - plus computers in
the U.S. and United Kingdom belonging to Islamic activists and scholars.

The secret program may have yielded - well, filched - troves of
information, amid constant honing, for nearly two decades. One banner
headline in Computerworldscreamed: "There's no way of knowing if the NSA's
spyware is on your hard drive."

But numerous innocent entities learn they've unknowingly hosted bad-guy
malware, too. The Wall Street Journal says the State Department case bears
Russian hallmarks. (Moscow is thought to have hidden cyberattack malware
within computers of now-and-then adversaries such as the Ukrainian
government - ready for remote activation, just in case.) The culprits
behind last year's Sony hack worked undiscovered for weeks inside the
corporate cordon, exfiltrating terabytes of data. Traces of the infection
probably still reside on Sony servers - a familiar story. The next
headline-grabbing breach is undoubtedly already underway.

Nobody's claiming today's defenses are no use. They are actually pretty
effective, repelling numberless incursions daily. But it's the high-profile
lapses that make the news. Toss them all onto the bonfire of big hacks that
torches public confidence in Internet security. The regularity of black hat
wins, including this month's disastrous Anthem health care hack, which may
have compromised another 80 million customer profiles, makes the best case
for change.

It's time to acknowledge the futility of setting out to defend pristine,
impregnable data fortresses. Heresy? Only to those overinvested in past
practice. It's time for a new, practical security strategy emphasizing high
environmental awareness, lightning response, and constant learning.

President Obama told Re/code cybersecurity has become "more like basketball
than football... there's no clear line between offense and defense. Things
go back and forth all the time." This is a new kind of warfare. So it is
disquieting that the new White House cyberinitiative, a $35 million "Cyber
Threat Intelligence Integration Center," is viewed as "an attempt to learn
lessons from the past," as a Washington Post editorial put it - the way
Pentagon generals study old wars.

Pearl Harbor and 9/11 were old-school defense breaches. The attackers
stormed us in broad daylight, unambiguously, like football fullbacks.
Anthem, Sony, eBay,Home Depot, Target: these cases are more like
basketball. The adversaries are more about deception, infiltration, and
finesse.

So we must shake off the compulsion to study old war stories. They offer
scant lessons for confronting today's threats. Already working the problem
24/7, governments and businesses must take decisive new steps together for
an era with few rules and fewer precedents.

We will not resign the standard perimeter defense and leave our virtual
front doors open. But with belt-and-suspenders redundancy, we must add new
moves to the old football-style defensive strategy.

Four specifics:

- First, we need network security solutions that give complete visibility -
so managers know every minute who's on the system, where they're located,
and what they're accessing. Such software already exists and works well,
but requires additional investment. There is little choice in a "bring your
own device" world where work traffic is no longer confined to uniform,
corporate-issued laptops.
- Second, security systems have to do more than alert you to breaches.
We're developing the built-in capability to pivot toward threats, isolate
them, and "remediate" - that is, kill them and fix things fast. (The
velocity of your intelligence-driven "kill chain" is the next big success
metric in cybersecurity.) Next-phase security software will operate in
constant learning mode, adapting to adversaries' strategies in real time.
- Third, the good guys don't talk enough. Security systems collaborate more
today, and we are smashing silo-style constraints that limit knowledge of
bad actors. But we pay a high collective price because public and private
actors alike share too little information. To play our best game we need
statutory support from Washington for rapid information sharing between
businesses and governments. We need legal, managed, mutually beneficial
data-trading that inspires public confidence, not taxes it. Credit bureaus
that help competing stores flag deadbeats are an apt analogy. President
Obama's executive order promoting data exchange among security companies is
a step in the right direction. But the Washington Post is right to warn,
"[E]xecutive orders and new bureaucratic units are not enough. The
country's cyber enemies... require a far more robust response than has been
mounted so far."
- Fourth, we need a widespread culture shift. All users must take a measure
of personal responsibility for data security. Our society has solved big
issues from vehicle safety to containment of infectious diseases this way,
and it's time for the security industry to promote a similar mindset in
cyberspace. (You can equip a car with air bags and safety gadgets galore,
but it's ultimately up to the driver to buckle up and drive safe.)

Real-time awareness, lightning remediation, collaboration, and responsible
habits: the pillars of new-school security.

A great deal is at stake, more than the millions spent on data breach
recovery, more than the hard-to-calculate brand damage victims suffer. Each
fresh case is a new test of users' faith in the Internet-connected world.
After 2014 it became old hat to warn all companies, with a dash of knowing
glee, "You've been hacked!" - whether or not they know it. But a world seen
as brimming with breaches and malware is no laughing matter. Unless we
justify public confidence in the now virtually indispensable Internet, we
face diminished trust, lost business opportunity, and a digital future that
is a shadow of the promise.

Never leave the front door ajar. But when trouble plummets down your
chimney, lurks in your hot water tank, and masquerades as the groceries you
carry inside, you need more than a brawnier padlock. Security calls for
intelligence, speed, and collaboration.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!