Meeting the cybersecurity needs of small business
Articles & Links
InfoSec is dead. Long live Cybersecurity.
I want to preface this post by stating that it isn't about words or terminology - it's about the mindset of Cybersecurity. I'm going to spin a bit of a yarn, but bear with me, there's an important point to be made at the end.
I've been working in computer security almost since I left school. My first real job as an IT professional, almost by accident really, was primarily managing a couple of Checkpoint firewalls. I was 20, and pretty excited to get a job working as a "hacker". That sounds like an incredibly naive interpretation of my what my job really entailed in retrospect, but the truth is that back then, computer security was a dark art as far as most people were concerned, which meant that to most people, anyone who knew anything about it was a Hacker.
Technology has evolved rapidly and in amazing ways since then, and so too has the IT industry as a whole. There are thousands of jobs which didn't even exist back when I was starting out, and the ones that did have sprouted into a myriad of different specialisations. Computer security is no different, it's not enough to be an "IT security specialist" now (if such a thing is even possible), there are so many sub-fields within security that most of us have to pick one or two to specialise in and leave the rest to others. Security architects, penetration testers, risk managers, policy & compliance specialists, incident managers, engineers and administrators for a thousand different kinds of security related products.... the list goes on.
As the jobs have evolved, so has our perception as computer security professionals about who we are and what we do. Back in the early days of the dotcom boom, pretty much everyone who worked in a computer related security job was an "IT security" professional of some kind. This was representative of the fact that most people working in the field were technology professionals first, and security just happened to be the area they specialised in.
After the dotcom crash, there was a fundamental shift in the way computer security professionals started to position themselves. With a lot of big name tech companies going bankrupt, being swallowed by competitors or merging to stay alive, organisational budgets for IT security were one of the first things to be slashed, and IT security jobs dried up. At the point when I entered the industry, most people who worked in "IT security" worked for the government in some capacity. No one else really cared enough about what was still an esoteric problem to most people, to spend money on it.
Slowly, the industry clawed its way back to life, but this time under a different name. In an attempt to unshackle ourselves from IT and their budgetary restrictions, we became "information security professionals" - the implication being that we had evolved beyond the boundaries of IT systems, and needed an appropriately broader mandate and scope of influence; That we were concerned with the security of information in general within an organisation and not just with IT.
Except really, we weren't. Fundamentally, most information security professionals dealt almost exclusively with IT systems, or at the very least in tightly coupled business functions such as policy & compliance. It was a clever ploy really, because mostly, it worked. Honestly, I think we're all the better for it. It woke businesses up to the fact that their information is an asset which has value and should be protected. In many cases, it is more valuable to the business than the physical computers and associated infrastructure used to process and store it.
Unfortunately, the decoupling of information security from IT probably shifted the scales to far in the other direction. In seeking to establish a broader influence within business, information security professionals isolated themselves from IT. Suddenly people who used to be colleagues became adversaries. Information security got a bad reputation for getting in the way of business, as blockers of innovation, as the "last hurdle" which would frequently be blamed for a project being delivered late and over budget.
I'll be the first to admit, it was a reputation well deserved. We misrepresented our mandate to protect information as an Imperial decree from management. We convinced ourselves and everyone who would listen that information security was paramount above all else, that if we were ignored, the sky would fall. As a result, "Infosec" became the team no one wanted to deal with. We actively cultivated an environment which motivated others to try and circumvent us, and only made our own jobs harder in the process.
The fundamental error in all of this, was in failing to recognise that information security and IT security are inexorably intertwined, that they each depend on the other and cannot be effectively decoupled from each other. People may say they know this, that it's self evident, but the trajectory of our industry proves otherwise - it's how we got to be in the mess we're in now.
It is this realisation which I believe forms the basis for modern cybersecurity. To most people in information security, cybersecurity is just a buzz word the media likes to use, but I think it represents something more significant. Cybersecurity is the name which brings information security and IT back into a cohesive, symbiotic relationship. It's an acknowledgement that information security and IT are two halves of the same problem, that you cannot tackle one side of the problem effectively without addressing the other. It is the mindset we must embrace if we are to make security relevant again, in an era where convenience and ease of use are king.
This is the challenge that we now face, as cybersecurity professionals - to bring our fractured industry back together, and realise that neither IT or information security can be effective in business unless we work together and not against each other.
Email needs to die.
Email has come a long way since it's humble beginnings in the early 1970's as a way for academics to send each other simple text based messages. Since the Internet took off as a platform for commerce and connecting people anywhere in the world, email has become an indispensable tool for business. We use it to communicate with our colleagues, customers and business partners every day. It would not be a stretch to say that email is the very foundation of online commerce.
But email needs to die.
A problem I'm faced with often is how to communicate securely over the Internet with clients. Most of them wouldn't think twice about sending me sensitive information via an email, whether it be in the message text or as an attachment. They also just expect that if I have to send them a document, that I will email it to them. Email is just how people in business communicate, but I wince every time I get an email like that, because I understand that the limitations of email make it entirely unsuitable as a means of communication for business.
The beauty of email is the technology that underpins it is so simple, which was fine in 1982 when the Internet was in its infancy, but email's inherent limitations have made it easy to exploit. Spammers can send millions of unsolicited emails without consequence; Fraudsters can impersonate trusted contacts without detection; Governments, ISPs and telcos can intercept and read our communications without our consent or knowledge.
The tech community has come up with a raft of solutions to help overcome these limitation: spam filters; real-time black lists & sender reputation databases; SSL & TLS; PGP encryption for message security; SPF, DKIM and DMARC for sender authentication; but all of these solutions amount to little more than bolt on hacks. Their effectiveness is constrained by the fact that they cannot be rigidly enforced across the entire email ecosystem - because email without any of these controls still needs to be delivered.
There is of course, an elephant in the room that no one is talking about. While IT professionals and vendors alike battle on trying to sustain email as a viable means of business communication (most of them trying to sell some fancy new product which will supposedly protect them from yet another class of email based threat) no one is asking the question which should really be the starting point for any discussion about email security - Why are we still using email at all?
It's not like we don't have better tools available. When it comes to personal communication, most people have moved on from email. Instant Messaging apps like Signal, WhatsApp, and Wickr have become ubiquitous, and now offer essentially the same functionality of email without many of the inherent limitations and weaknesses that go with it.
The use cases between IM and email are not exactly the same - for one, businesses like to have all their email centrally accessible and easily readable in case an employees is sick, or leaves the company, but those are not insurmountable problems. The point is that clearly, we as an industry are capable of coming up with a solution that is more fit for purpose than what we have in email. So why haven't we?
Imagine if email were redesigned from the ground up today. A new protocol suite, based on open standards, that uses the same distributed server model but with mechanisms to overcome the limitations and weaknesses of email, like the identity and key management of Signal, built into it. Imagine a medium which by it's very nature guaranteed confidentiality, integrity, authenticity and non-repudiation. Many of the problems we have with email would just disappear.
Obviously, there are those who have a vested interest in preserving the status quo - vendors who are currently making a killing selling all kinds of email security solutions, but I'd say there are many more people who'd stand to benefit from moving on - not the least of which would be the customers of those vendors.
I'm not under any illusions that business is ready to move on from email, but as a cybersecurity professional, I feel like it's my job to encourage people to find other mediums when it comes to secure communication. It doesn't take much to convince people they'd could save a lot of money if they didn't have to worry about email security. The biggest impediment to these conversations at the moment is a lack of plausible alternatives, which when it comes down to it, is mostly due to a simple lack of demand.
Our technological forefathers didn't do us any favours when they chose the name email. By likening it to the old postal service, they passed on the same assumptions people had regarding privacy and reliable delivery. Until the majority of email users around the world understand that these assumptions are wrong, and that they need a better solution, we're going to be stuck with what we've got. If we start a conversation with our clients now about how things could be so much better, then maybe we can put some pressure on vendors and standards organisations to take email off life support and give us something better.
Cybersafety vs Cybersecurity
At Shogun Cybersecurity, we focus on helping you protect your business and you digital assets from online threats, but there is another side to the Cybersecurity problem which is often overlooked - Cybersafety.
What's the difference? Put simply, cybersafety is about protecting people, and helping them deal with the consequences of a data breach or cyber-incident. In the world of cybersecurity, we talk a lot about impacts, and specifically about business impacts. Cybersafety focuses on the human element - teaching people how to protect their data and online identities, and helping them deal with the fall out when things go wrong.
At Shogun, we're pleased to have partnered with CyberActive Services to help out clients deal with this important aspect of Cybersecurity. Check out their site at the link below:
The limitations of passive cyberdefense
Cybersecurity is mostly a one sided battle. The bad guys always have the upper hand for one very simple reason - when you're on the receiving end of a cyber attack, you can't retaliate to defend yourself. Not only is it often impossible to accurately attribute the source of an attack, but from a legal stand point anyone who launched a counter attack would be breaking the same laws that their attackers were breaking - there's no exceptions for self defence when it comes to the digital world.
A consequence of the passive nature of cyber-defence, is that often attacks cannot be stopped, they can only be endured. Sometimes it's possible to reduce the impact of an attack by using technological countermeasures such as firewalls, but the distributed nature of the attacks makes this difficult. To make matters even more difficult, the people and processes involved in responding to cyber-attacks are incapable of keeping up with the speed with which automated attacks can appear and adapt.
Clearly, if we're going to stand any chance against hordes of zombie PCs in malicious botnets, we at least need to be able to respond with the same speed as the cyber attackers, which means automated tools. Unfortunately, cybersecurity products don't have a great track record when it comes to automated intrusion prevention - to date they are more likely to break legitimate services than block legitimate attacks. I've never encountered an IPS that hadn't been switched to detect only mode after causing an outage.
The crux of the problem is that despite what cybersecurity vendors would like you to believe, computers suck at differentiating between legitimate traffic and a cyber attack. There's two reasons for this:
1) Computers lack context. We've got more "threat intelligence" at our disposal than ever, but machines have trouble interpreting it because they either lack or don't use much of the contextual information that a human would subconsciously draw on when analysing the same situation. For example, a phishing email supposedly sent from a colleague at 3am in the morning would likely pass most spam filters (assuming it was well written at least), but the human who receives it and notices the time will be suspicious.
2) Computers still can't match humans for cognitive analysis. Put simply, humans are much much better at inferring facts from incomplete or ambiguous data. Sometimes the only thing you've got to differentiate a legitimate user from an automated attack is the usage pattern of the site or application. A human can generally spot this easier than any computer algorithm.
With the advent of "big data" and the sudden surge in data analytics it has spurred, we're starting to get better at #1, Security Event and Incident Management (SEIM) products have become all the rage with big businesses that have the money for that sort of thing, but collecting information is only part of the solution. Getting the computers to use effectively is the more difficult part. I've worked in many corporate environments with huge SEIM deployments, collecting gigs upon gigs of data per day, but most companies don't know what to do with the data. They generate alerts based on attack signatures, but we've been doing that for years, it's hardly much of an improvement.
Problem #2 is the greater of the two, and it's going to be a problem for the foreseeable future. Barring some kind of miracle in AI development, computers will continue to struggle with cognitive reasoning. That's not to say cybersecurity vendors get a pass on this, they should at least be able to get their products accurate enough to block out a sizeable percentage of attacks, but it's always going to be a cat and mouse game. Cybercriminals have proven themselves to be quite adaptable when it comes to avoiding the latest defence techniques.
If you're serious about cybersecurity, it's important to realise that the technology based defences at your disposal are always going to be limited in what they can achieve. This is why Shogun Cybersecurity recommends SMEs adopt a holistic approach to cybersecurity, which encompasses people and processes as well as technology.
Stagefright and the problem with Android security
This year has not been a good year for mobile security, particularly if you're an Android user (like me). A series of critical vulnerabilities in the "stagefright" media libraries which are core to Android's media processing capabilities, left millions of Android users exposed to having their devices taken over by hackers, simply by receiving a maliciously crafted MMS message.
That such a bug exists at all is concerning enough, but the real problem is that months after the vulnerability was made public, the vast majority of Android devices are still vulnerable and are likely to remain so. While Google was quick to release patches to the Android source code, with the exception of Nexus devices which run the "vanilla" variety of the software, Android devices are at the mercy of handset makers and mobile carriers when it comes to getting software updates, and frankly it is not in their interest to supply fixes for old devices when they can sell you a new one instead. Even should these companies wish to do right by their customers, the sheer number of devices which they sell, and the speed with which new models are released, means that keeping the software for each one up to date with security fixes is just not feasible.
Put simply, this is not a problem that can be easily fixed within the constraints of the Android ecosystem. Depending on the device, you may be able to install a custom third party firmware, such as Cyanogenmod, but even for users willing to go these lengths, there are other trade offs to be made regarding speed and features. My LG G2 has a great camera built in, but without the LG camera drivers, it only takes very average photos.
By contrast, the Apple iPhone does not have this problem, because Apple takes precisely the opposite approach to its mobile offering than Android does. Instead of offering the code to other device manufacturers for free, Apple manufacturers and sells its own devices and it's software is tightly coupled to them. This allows Apple to take a more aggressive approach to software updates, in most cases the IOS software updates itself without the users intervention. This practice has it's own problems, and has caused problems for users in the past (especially for jailbroken phones), but it does mean that software vulnerabilities are patches on the majority of IOS devices in an acceptable time frame.
Despite that, I'm unlikely to be making the switch to an iPhone anytime soon, but that's a choice I have the luxury of being able to make thanks to being tech-savvy enough to run custom firmware on my device. For the average user, the choices are much more limited. If you'd rather die than give up your Android for an iPhone, then Nexus devices are really the only sensible choice if you are concerned about security. Which you should be, because the amount of personal information on your phone is likely enough for a cyber-crook to empty your bank accounts without you even realising until your credit card gets declined.
The benefits of cybersecurity awareness training
If there is one thing that cyber criminals and hackers can rely on when they are trying to attack an organisation, it's that unsuspecting users are easy targets and can usually be coopted into providing them with access to a system or network, often without the user's knowledge. Technology based security controls like firewalls and 2-factor authentication are hard to defeat. Generally speaking, a would be attacker has to have knowledge of specific software vulnerabilities which affect the systems they're trying to attack to fool such security mechanisms. People on the other hand, are much easier to fool, especially if they haven't been trained in good cybersecurity practices, and how to spot a potential cyber attack.
Phishing attacks, where users are sent deliberately misleading emails which attempt to trick users into performing an action that will infect their computer with malware, or to divulge sensitive information such as usernames and passwords, are the fastest growing class of cyber-attack on the Internet, and have become the number one way in which attackers gain their initial foot hold into an organisation's IT infrastructure. Often this is how Advanced Persistent Threats, or APTs, establish their presence on a target network, and from there are able to attack and infect other assets which would otherwise be inaccessible to them.
To combat this threat, organisations much ensure their users know how recognise and avoid these and other kinds of cyber-attacks. Cybersecurity training and awareness programs for employees are the best means for an organisation to ensure that their employees are equipped with the skills and knowledge required to do their jobs in a manner which does not expose the organisation to these risks.