25 August 2016

Your Security Team is Outgunned: Where's the Help?

BY DANIEL LOHRMANN
AUGUST 20, 2016

Most experts believe the good guys continue to fall further behind in our global hacker wars. So how did we get to this point in cyberspace? Most important, where can you go for help in this new Wild West online?

Back in March 2012, Shawn Henry, the FBI’s top cyber cop (at that time),offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks. "We're not winning," he said. “Computer criminals are simply too talented and defensive measures too weak to stop them.”

Going back even further, Politico offered this headline in late 2010 asking, ”Is America Outgunned in Cyberspace?”

The implication was certainly yes — following the early WikiLeaks actions ofJulian Assange. Still sound familiar today?

And even further back, many global technology leaders knew we were entering a new era in cyberspace well before WikiLeaks became famous. As I was doing initial research regarding hackers and insider threats for my book Virtual Integrity in the 2006-2007 timeframe, I interviewed several “white hat” hackers who opened my eyes to a new set of online norms. I later published a version of that interview (heavily edited) in this CSO Magazine blog:

“The front lines of Net — that’s where most of us spend our time. Life gets crazy out there, a virtual Wild, Wild, West. Almost anything goes in cyberspace.

I liken our online world to another American gold rush - the new frontier. It’s true that history seems to repeat itself. We boldly go where others are afraid or ill-equipped to go. We’re the white knights. The few, the proud, the ones willing to stick our necks out and get our virtual hands dirty.

Or, if you prefer, we’re living in 1930s Chicago all over again — with mob rule. There’s minimal policing going on, and people often take matters into their own hands. It seems like an impossible task, but when the going gets tough — you’ll find out what you’re made of. We do what we do to survive in this dog eat dog digital world. We didn’t create this situation. I’m not happy that I was dealt this hand, but I’m making the most of it. It is what it is. Somebody needs to protect the homestead, right? Truth be told, things are getting worse. ...

Look, this is the big leagues. Not some single-A farm team out in the bushes. We’re not in some global game of Halo. We’ve got real work to do. The bad guys are getting dangerous — real dangerous. They don’t understand our civil, respectful way of life. They just keep hitting us hard.

Sure, it’s tough. I’m tired. There are no time outs. We get a little sleep, when we can, but then we’re right back on it. We have to be right every time. Cyberspace never sleeps. This is war baby. Cyber war — All is fair in love and war.” 

For some interesting history, check out this YouTube video on the Wild West:

As the online problems are mounting, even President Obama acknowledges the international difficulties in cyberspace – and especially in enforcing laws.According to the New York Times: “Mr. Obama often says the world of cyberconflict is still ‘the Wild West.’ There are no treaties, no international laws, just a patchwork set of emerging ‘norms’ of what constitutes acceptable behavior.”

Meanwhile, on the other end of the spectrum, businesses are also overwhelmed by hacker false alarms

It’s not that businesses are not able to detect attacks like malware. It’s that they’re detecting far too many and just can’t keep up. It’s just not humanly or technically possible to investigate every alarm that goes off. …

According to (a 2015 Ponemon Institute) report: 
Businesses on average receive more than 17,000 alerts that malware has been detected on their networks, or trying to break in. 
More than 4 out of 5 of those alerts turn out to be false alarms. 
Which might explain why businesses, on average, only respond to less than 4% of all those alarms. What’s happening to the other 96% of alarms? Real or false? 
And the cost of responding to the false alarms is a staggering $1.27 million per organization, said the report. 

Solutions Please: Where’s the Help for Enterprise Security Teams?

So what can be done? Here are three enterprise recommendations from trusted sources to help improve your chances in cyber conflicts.

1) Simplify Networks — This strategy requires a good understanding of your current network architecture, where your current data is, what data is important, and how the data is being protected.

The Department of Defense (DoD) just came out with their updated road map to modify their IT and cybersecurity approaches. At the top of the list is network simplification. “Though networks are more secure, they still are laced with sub-optimal conditions.

“One of the problems today is our whole network structure is more complex than it needs to be,” (Terry) Halvorsen said, making the case for the department’s implementation of Windows 10. His office is revamping the certification and accreditation process and preparing to migrate all the major networks to Windows 10 by the second quarter of fiscal year 2017. “We've got almost every type of hardware on [the networks]. That's a complexity in and of itself. We have almost every version of software. That's the complexity we don't need, and frankly creates weaknesses in our system.”

The overall cybersecurity objectives listed for the new DoD plan include: 
Objective 1: Establish a Resilient Cyber Defense Posture 
Objective 2: Enhance Cyber Situational Awareness 
Objective 3: Assure Survivability Against Highly Sophisticated Cyber Attacks 
Objective 4: Evolve the Cybersecurity Workforce 
Objective 5: Ensure that Warfighting, Government Operations, and Intelligence Missions are Conducted in a Secure Communications Environment 

2) Build Your Cyber Support Community: Improve Partnerships With Mission Partners and Industry — No organization can succeed in an island mentality, and success in cyberspace requires a tight-knit community — just as in the Wild West. This means great cross-boundary partnerships with law enforcement, private-sector companies, internal and external teams and security and technology industry organizations. Organizations must work with others to succeed.

There are many great cybersecurity organizations to help, such as theNational Association of State CIOs (NASCIO), InfraGard (a public-private partnership with the FBI) and your industry’s Information Sharing & Analysis Center (ISAC).

Even the DoD recognizes their need to partner better to improve. (Note: The second goal listed above is improved partnerships.) Here are some helpful resources to help partnerships in critical infrastructure sectors: 

3) Be Ready For Cyber Incidents and Practice, Practice, Practice. You must have a (written and tested) plan to deal with cyber emergencies.

No doubt, there will always be new cybersecurity incidents and disruptions.Organizations must have tested plans that ensure continuity of operations and resilience in such situations.

Michigan State Government recently updated their Cyber Disruption Response Strategy in late 2015, after publishing this earlier version in mid-2013. NASCIO recognized that these plans are excellent national model for governments to use, but there is another lesson here. These plans must be kept up to date and relevant, with ongoing testing by all parties using tabletop and full-scale exercises.

Like your local fire department, you must be ready for bad things to happen. Keep preparing through hands-on training for the future with ongoingchecklist of cyber incident actions that remains current and understood by everyone – starting with executive management.

We Can Learn From History

Just like pioneers in the old West, we are facing huge new challenges - only this time the trouble (and our opportunities) are in the virtual world. Nevertheless, the reality is that the virtual world is coming together to merge with the “real world” as never before.

Many wise people have said that if we cannot learn from history, we are bound to repeat it (with new twists.) I see this repeat of history happening every year in our technology world. The question remains: Will we learn from the past as we move into the future?

Finally, I leave you with this quote from Will Rogers: “If you find yourself in a hole, the first thing to do is stop digging.”


No comments: