With so many high-profile breaches making headlines, and the growing number of complex and elaborate cyber security tools being marketed to businesses that feed into this scaremongering, it’s easy to get caught up in the sensationalism of it all and forget the importance of solid security practises in the world of everyday business.
Information Age’s Security Leadership conference has been providing a pragmatic antidote to this for the past few years. On 25 February, in partnership with security intelligence firm LogRhythm and cyber defence start-up Darktrace, the event's focus was on cutting through the hyperbole to take a fresh look at security’s fundamental elements.
Business and IT leaders from across the industry took to the Amba Hotel Marble Arch to take part in a day of interactive talks, end-user case studies and a lively panel discussion on the evolving state of security led by leading security professionals.
As Ministry of Defence (MoD) cyber industry deputy head Daniel Selman reminded delegates, just doing the basics can remove as many as 85% of threats, but a surprising number of organisations are neglecting to do the groundwork, instead choosing to focus on increasing their technology investments.
The tactics of attackers are constantly growing in sophistication and for this reason, even those with the most well-developed cyber security strategies could benefit from the government’s online resources such as the ‘cyber essentials’ and ‘10 steps to cyber security’ checklists, to see if they meet the high standards required of an MoD supplier.
As Cath Goulding, head of IT security for domain name registry Nominet, explained, one fundamental weak point in security that is often taken for granted is the DNS layer.
It works silently in the background, with billions of packages going across the internet every second, and much like plumbing, nobody notices it until things go wrong. DNS attacks are growing, but because it’s an essential component of the internet, invented before these attacks were seriously considered, security has to be bolted on, not assumed to be in place.
‘DDoS (Distributed Denial of Service) attacks against the DNS layer are easier and cheaper than ever to perform, with attackers increasingly successful at breaking through traditional infrastructure-focused security controls,’ said Goulding. ‘That’s why it’s so important to put it on your risk register, have a reputable DNS provider and consider security measures like domain locking.’
Dave Whitelegg, Capita Group’s head of security and payments, reiterated during the panel discussion how attackers are increasingly circumnavigating infrastructure-focused security controls, and that security is no longer a static process but instead relies on the flexibility to adapt to threats as they evolve. Steve Soar, cyber security executive at Darktrace, agreed.
‘Security used to be about building bigger and bigger walls, like a medieval fortress around our networks,’ he said. ‘In 2016 there are no borders. Gone are the days when we can build walls to keep all the bad stuff out. We have to work on the fundamental principle that there is something in the network.’
Matt Ellison, head of presales at LogRhythm, also agreed that prevention-centric approaches are no longer enough: attackers can and will get in to enterprise networks, if they aren’t in already.
As Mike Loginov, CSO of ISSA UK, the UK chapter of the Information Systems Security Association, explained, the first level of vulnerability in any organisation is the human.
‘Hacking people is not simple but it is easy,’ he said. ‘People are easily compromised and manipulated, and our research has shown that 60% of people will change their passwords when asked to by a bogus email, and 67% will give out NI numbers, birthdates and employee numbers. Phishing attacks result in a 100% success ratio in physical breaches.’
In a great demonstration of the basic oversight of humans when it comes to security, he showed how workers in the Waterloo station control room left the passwords for their system on a sticky note on the computer screen, while being filmed for an episode of the BBC’s Apprentice programme. The password? Password3.
Simple mistakes like these come down not expensive tools but simply a culture that doesn’t emphasise people’s responsibility to do the basics. Coming onto the stage while in the midst of dealing with a major breach as a result of a phishing attack, Sarah Lawson, head of IT security for infrastructure support service provider Amey, really brought home the reality of this problem.
‘Despite telling people for months ‘do not open this email’, this morning 20 or more people clicked on spam email and opened ransomware into our system,’ She said. ‘We are containing it, and we did detect it, but it just shows how important it is to encourage secure processes: don’t just sit in your ivory tower, go into the business and actually find out what is happening.’
Lawson talked about the importance of removing the ‘them vs. us’ approach, and of being able to effectively communicate in the language of employees.
‘Resilience sounds better than security- it takes away that fear factor and doesn’t make people assume ‘you’re going to block everything, stop me doing things, or cost me money.’ Using the right language can give people a protective feeling.’
This also means being able to communicate security in a way that shows benefit to the business’s bottom line.
‘We all have finite resources,’ said Lawson, ‘And business leaders know information security is not going to make the business any money. But we can show how we can save money with things like asset control, getting rid of software that isn’t doing anything and encouraging effective process, which is essentially free.’
She warned against the dangers of pumping resources into reports that are often rejected because the measures cost businesses money.
‘Plan but keep it proportionate, use basic standards, and only bring in professionals to bridge gaps when you need to. Make it pragmatic and choose your battles- certifications are great and they do the job, but if you put every one of these in place, frankly people wouldn’t be able to use anything.’
In some ways, security is more about what you don’t do. As Lawson advised companies, ‘choosing your shiny toys carefully’ and identifying the ‘low hanging fruit’ of people and process that can make a huge difference.