One of the most chilling developments in IT security this past year were the cyber attacks reported on energy utilities and manufacturing plants, which exploited critical infrastructure vulnerabilities introduced by the convergence of IT and Operational Technology (OT). Yet they were barely noticed by the broader public, not nearly as much as Hillary Clinton pulling rank on her IT staff to use a private email server.
Time for a reality check? For our InfoSec Luminary Lineup blog discussion series, we asked cybersecurity leaders and experts: “What is the most underestimated IT security threat, and why?”
In their responses, they don’t dabble in technicalities of the vulnerability-de-jour variety. Instead, all of our contributors paint the bigger picture.
It isn’t pretty. The most underestimated IT security threat is… - “all of us,” as Frederick Scholl (Monarch Information Networks) writes. His fellow contributors seem to agree. It’s the “‘people aspect’ of cybersecurity,” Law & Forensic LLC’s Daniel Garrie points out, that deserves more of our attention.
While criminal and nation-state hackers may dominate the headlines, serious threats that originate from within the organization remain unaddressed, such as insider negligence or insider accidents.
”CISOs who limit their thinking to malicious insiders,” warns Information Security Forum’s Steve Durbin, “may be miscalculating the risk.” Prevendra's Christopher Burgess urges to address the "carelessness factor." And Jake Olcott of BitSight Technologies reminds us that “many of the most damaging data breaches have originated on the networks of a key vendor, contractor, or supplier.” Tip: Check out our recent post 5 Vendor Risk Reports Every IT Leader Should Read on this blog.
Even the Internet of Things (IoT), Pete Kofod’s pick for “most underestimated IT threat,” fits the “It’s-all-of-us” theme. Like the other picks of our InfoSec Luminaries, IoT vulnerabilities would be less commonplace and critical if it wasn’t for cost and convenience considerations, complacency and users’ capitulation - or, as Frederick Scholl puts it, “learned helplessness.”
We would like to thank our InfoSec Luminary Lineup contributors, and you, our blog readers, with the best wishes for the holidays and a safe, secure and successful New Year!
“Insider negligence and accidents” (Steve Durbin)
As we enter 2017, the pace and scale of information security threats will continue to accelerate, endangering the integrity and reputation of trusted organizations.
Cyberspace is the land of opportunity for hacktivists, terrorists, and criminals motivated to wreak havoc, commit fraud, steal information, or take down corporations and governments.
Perhaps one of the most underestimated threats, or certainly one of the most difficult to counter, is presented by the insider.
The insider threat has intensified as people have become increasingly mobile and hyper-connected. Almost every worker has multiple devices that can compromise information instantly and at scale: impact is no longer limited by the amount of paper someone can carry.
CISOs should take a broader view of insider risk
Simultaneously, social norms are shifting, eroding loyalty between employers and employees. A job for life is being replaced by a portfolio of careers. Most research on the insider threat focuses on malicious behavior; however, the threat is considerably broader.
Insider negligence and insider accidents comprise a greater and growing proportion of information security incidents. CISOs who limit their thinking to malicious insiders may be miscalculating the risk. Managing risk posed by the insider threat should extend across all three types of risky behavior: malicious, negligent and accidental.
In the coming year, organizations need to place a focus on shifting from promoting awareness of the problem to creating solutions and embedding information security behaviors that aﬀect risk positively.
People should be the organization’s strongest control
The risks are real because people remain a “wild card.” Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit and part of an organization’s information security culture.
While many organizations have compliance activities which fall under the general heading of “security awareness,” the real commercial driver should be risk, and how new behaviors can reduce that risk.
Leading organizations can combat the insider threat in three ways:
- Start by assessing insider risk. For immediate results, implement technical and management controls, and align roles, responsibilities and privileges throughout the employment life cycle.
- Recognise that technical and management controls have limitations. Organizations need to trust their insiders to protect the information they handle – and will always face some risk of that trust not being upheld.
- Embrace a deeper understanding of trust. Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, organizations should foster a culture that makes the organisation worthy of trust in return.
The bottom line is that in 2017, leaders who ignore or encourage inappropriate insider behavior can expect to face significant financial, reputational or legal impact.
Steve Durbin (on Twitter: @SteveDurbin) is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner.
“Third party risk threatens IT security” (Jake Olcott)
The most underestimated IT security threat is the risk posed by third parties and business associates.
Over the last few years, many of the most damaging data breaches have originated on the networks of a key vendor, contractor, or supplier that a business works with.
These include the high-profile data breaches suffered by Target, T-Mobile, and the Office of Personnel Management (OPM).
Cyber attacks against third parties have become commonplace mainly for three reasons:
- First, organizations rely on more third parties for key business functions that used to be performed in-house. With payroll, HR, legal, sales, PR, and even product development functions being outsourced, more third parties have access to more sensitive business information, which presents a great challenge to protect data.
- Second, business environments have become more interconnected, which means that more third parties have been granted direct access to the corporate network to perform essential job functions. This privileged access is great to achieve business objectives, but it also poses significant risk.
- Third, as first party organizations improve their cyber defenses, attackers are increasingly searching for the weakest links. Smaller businesses often have fewer resources to protect their environments and represent easier attack vectors for cyber criminals.
Given their access to sensitive data or even the broader network itself, third parties represent great targets. More mature organizations are now using tools to continuously monitor the security risk of their third parties.
A recent BitSight and IDG survey of IT security professionals showed that 10 percent of organizations are now measuring third party cyber risk on an ongoing basis.
Although third party risk increasingly threatens IT security, most organizations do not have programs and tools in place to properly address the critical security risk posed by third parties.
Jacob Olcott is VP of Business Development at BitSight Technologies. He served as cybersecurity attorney to the Senate Commerce Committee and House Homeland Security Committee. He previously managed a cybersecurity consulting practice at Good Harbor Security Risk Management. Jake is an adjunct professor at Georgetown University. He holds degrees from the University of Texas at Austin and the University of Virginia School of Law.
“The ‘people aspect’ of cybersecurity” (Daniel Garrie)
Be they malicious inside employees or habitual clickers on spam links, the most underestimated IT security threat is people.
In the cyber security industry, the focus is often on the technical side of the attacks, without looking at the human side. This must change.
According to the IBM 2016 Cyber Security Intelligence Index, in 2014, 55% of cyber attacks on a company were perpetrated by insiders. In 2015, that percentage grew to 60%.
Malicious insiders have various motivations, including dissatisfaction with the employer/job, social activism/civil disobedience, and financial crime. In addition to purposeful attacks by insiders, there is human error.
Many employees still fall prey to an email from “TrackingUpdates@fedex.ru” or “firstname.lastname@example.org” or other malicious addresses. Notably, these errors may not be covered by a company’s cyber insurance policy.
To address the “people aspect” of cybersecurity, the culture of a company needs to address security at four different spheres: the board and senior management, within the security organization, within the broader IT organization, and across all staff.
As a Neutral with alternative dispute resolution provider JAMS, Daniel Garrie serves as an E-Discovery Special Master, Forensic Neutral, and Mediator/Arbitrator with a focus on complex software and business litigation, e-discovery disputes, privacy and data breach matters, trade secret theft, and intellectual property litigation. Garrie is the Senior Partner & Co-Founder of Law & Forensics LLC, a technology consulting firm that specializes in e-discovery, software, computer forensics, and cybersecurity. Garrie also is a Cybersecurity Partner at the law firm Zeichner Ellman & Krause LLP.
“A state of learned helplessness” (Dr. Frederick Scholl)
The most underestimated threat is.…us. All of us. Whether security expert or not.
Consider this remark from General Michael Hayden: “You’re going to have to be responsible for your safety [in the cyber domain] in a way in which you have not been required to be responsible for your safety [in the physical domain] since the closing of the American frontier in 1890.” (Source: Wall Street Journal)
I believe that the “you” in this statement is really everyone.
Security professionals have been too reliant on compliance, behaving as though audit standards will guarantee that their organizations would be safe. Those same professionals have focused on new security technology to mitigate risks, even after many gurus have pointed out that this approach does not work.
Finally, business is thinking (hoping?) that government will solve the security problem, so they don’t have to invest. It’s pretty obvious from the headcount of FBI and Secret Service agents that the government does not have enough resources to stop cybercrime.
Many home users are in a state of learned helplessness regarding information security. They read about security breaches and think they cannot do anything.
They don’t realize that good security is simply discipline and sustained, continuous improvement over time. They also haven’t realized the scope of the threat (worldwide) and the fairly simple and effective mitigations for the typical user.
“Invest in Employees’ Well-Being” (Christopher Burgess)
The number one and most difficult threat to mitigate is the insider threat. Insiders have privileged access, which translates into access to the information necessary to execute against their role.
Clearly, some positions are more sensitive than others, and thus the information, if compromised, would be more damaging. If the insider does not exceed their privileged access, then it is near impossible to detect that they have broken trust with their employer.
It is only when the employee exceeds their brief or the entity to which they shared their information reveals the information (accidently or on purpose) that they are more likely to be detected.
It is for this reason that the three prime vectors of attack against any company's intellectual property or other data stores are
- the insider,
- the unscrupulous competitor, or the
- nation state.
Employee security awareness training helps with reducing the carelessness factor in rendering information insecure.
Investing in employees' well being, with health and wellness, financial counseling, legal assistance programs as part of the overall employee engagement, reduces the likelihood of an individual breaking trust due to personal circumstances. This allows the security teams to focus on those breaking trust for the more nefarious purposes.
Christopher Burgess (Twitter: @BurgessCT) is CEO of Prevendra, Inc. He is also an author, speaker, advisor, consultant and advocate for effective security strategies, be they at the office or home for you and your family.
“IoT will become another ‘shadow IT’ headache” (Pete Kofod)
IoT and firmware exploits will prove to be highly effective against both consumers and organizations.
DDoS attacks such as the Mirai powered attack on Dyn and Krebbs will continue to plague organizations, but the attacks will become more intelligent and focused, successfully executing data theft and escalation of privilege of enterprise systems.
IoT systems lack many of the protections that are commonly found in data center and Commercial Off-the-Shelf (COTS) systems. The systems are often low powered, meaning that advanced encryption and data integrity functions are not available.
IoT systems are often designed by small teams that understand the physical problems being solved (cameras, thermostats, solar panels). They, however, often lack the expertise and resources to conduct the requisite security hardening of these systems.
The systems are headless and remotely managed which often requires a "back door" account for system recovery. Software upgrades are subject to malicious code injection, as the IoT systems often lack the capability to cryptographically validate an update.
IoT will become another ‘shadow IT’ headache, as IoT-based devices increasingly pop up across enterprise departments. Facilities departments in particular will need become more integrated with enterprise security as they deploy countless sensors and controllers.
This relationship will be especially important in organizations that maintain critical infrastructure (energy, utilities and transportation) as IoT and SCADA merge.
Peter Kofod, Co-founder of The Sixth Flag, (Twitter: @TheSixthFlag) has over twenty years of technical and leadership experience in Information Technology, including the development of secure hosted services for the transportation industry as well as designing and managing networks in the utility and defense sectors. Peter is also the Founder and Principal of Raleigh-based Datasages Consulting Group LLC, a firm dedicated to providing enterprise management services to industrial and transportation customers. In this role, Pete is often called upon to lend expertise to large-scale transportation projects. He has been a material contributor to the implementation of Positive Train Control in the United States, particularly as it applies to security and availability in a hosted environment and has patents under way related to this work.
PS: Would you like to be included in future InfoSec Luminary Lineup discussions on the Authentic8 blog? Connect with us through one of the links at the top of this page or use the comment form below.
Check out these recent InfoSec Luminary Lineup blog discussions: