[BreachExchange] Don’t search for a magic bullet for cyber security

[Audrey McNeil]

http://gulfnews.com/business/analysis/don-t-search-for-a-magic-bullet-for-cyber-security-1.1867169

Governmental agencies shouldn’t just rely on installing the latest software
and hardware – they should take clear steps in training, process and
practice to ensure they’re protected from cyber attacks. Although there is
no such thing as one solution fits all when it comes to cyber defence,
there are certain steps that every government agency must employ to create
a solid foundation on which they can start building their cyber defences.

Government agencies remain in the cross hairs of cyber attackers as hostile
nation-states, terrorists, hackers for profit and campaigning organisations
(hacktivism) focus on breaching their systems. Government cyber security
professionals should always take a holistic approach to managing their
defences and response procedures, but there are some key steps which are
the building blocks of a strong defence.

Edward Snowden’s data leakage and the WikiLeaks scandal have highlighted
the danger of malicious disclosure, but more often than not the threat
comes not from deliberate employee sabotage, but rather from ignorance or
careless practice. Threats from hostile governments or sophisticated
criminal organisations – dubbed ‘Advanced Threats’ by the industry – often
use an initial employee mistake to embed themselves in a targeted
department, gaining persistent access to a system and becoming increasingly
difficult to detect.

So employee mistakes can have implications far beyond the immediate
incident. It is therefore vital that all employees, whatever their
seniority level, should be given continuous cyber-security awareness and
counter-intelligence training, to avoid poor practice and minimise the
possibility of a security breach. Employees are the most important part of
the information system of an agency, but also its weakest link when it
comes to cyber security and defence.

Likewise, public knowledge of software and hardware used in a department’s
network should be limited to a few trusted and vetted employees who have a
real “need to know”. If hostile actors understand a system’s make-up in
advance (as part of their pre-attack recognisance), then they can tailor
their attacks to known vulnerabilities, giving them a headstart before they
begin probing the system’s defences directly.

This is why it’s also vital to do a constant security vetting, and
re-vetting, of outside vendors with access to the system, even if their
role is relatively limited. Many times breaches of the vendor’s networks or
software and hardware products, lead to breaches of their customer networks
and to data exfiltration, and many a time goes undetected by the customer.

Just as knowledge should be compartmented and firewalled, so should
software. Patches, updates and fixes can often prove a ‘Trojan horse’
allowing malware to enter the system either causing direct damage, or
creating an opening for future exploitation. They should therefore always
be deployed in a ‘sandbox’, a virtual space, discrete from the main system
which allows new software to be run isolated without risk of contamination
of the main network.

Once vetted from the security, compatibility and functionality point of
view, the patches or updates should be deployed to the main network in a
staged upgrade push that would minimise the possibility of the entire
network being down. To avoid unwitting disclosure of information all
communications should be end-to-end encrypted – that means not just voice,
but texts and files as well, both in transit and at rest.

Crucially, encryption systems should also sit on hardened hardware, the
best algorithm in the world won’t preserve your privacy if it’s hosted on
an insecure computer, cloud or mobile handset.

Lastly, but certainly not least, government cyber security professionals
should constantly test the security of their systems through penetration
testing. Knowing your network from the outside will provide invaluable
information about the vulnerabilities (and sometimes even zero day
exploits) of your systems. This is an ideal role for outside vendors who
can bring in some of the best hacking expertise in the world, at far lesser
expense than keeping it in-house.

External contractors also have the great advantage of being unbiased by the
system; they won’t overlook that crucial vulnerability because that’s how
the department has held its data for years, or because it’s due to be
resolved in next year’s round of IT upgrades. They bring an honest
perspective on how your system works from the outside.

Testing has to be a constant and iterative process: test, analyse,
remediate (both through processes and upgrades), then test again.

There’s never a magic bullet to defeating cyber threats, this is a constant
battle, but through a combination of training, processes and judicious use
of outside expertise government security professionals can help ensure
their department doesn’t become the subject of the next cyber attack
newspaper headline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160726/ba2ab6e8/attachment.html>