As part of Information Age’s Cyber Security Month, we have provided three CTO guides on cyber security: the challenges, the technology and the best practices. This is the last one, and will focus on cyber security best practice tips, with some insights on how CTOs, or CISOs or those in charge of security, can protect their organisation from the growing list of cyber threats, as well as increasing human error.
Do the basics right
Michael Wignall, CTO at Microsoft UK, likes to keep it simple and believes you need to do two things for an effective and successful cyber security strategy.
First, “you need to do the basics right,” he says.
“You need to make sure you’re on the latest technology and keep systems patched and up-to-date. The WannaCry was a good example of that. With many of the systems that got breached, the threat vector was a vulnerability that should have been patched.”
“Organisations that keep their technology on the latest version and on the latest patch go a long way to keeping their systems protected. So, before I even start talking about advanced threat protection and some of the more clever sophisticated stuff, doing the basics right, getting that hygiene right is vitally important.”
“The second aspect is that most breaches come via credential compromise of some form. It doesn’t come from a zero-day vulnerability on the backend, hacking a server. It comes from credential theft or some other form of brute force password guessing.”
“There’s a variety of phishing attacks, and a breach often comes from compromise in the user credentials. Once the user credentials are compromised, then the attacker can traverse internally, laterally across the network and get access to more stuff.”
>Read more on The comprehensive IT security guide for CIOs and CTOs
“So, protecting the user credential is the next vital step. Going beyond just using a password, and using multi-factor authentication for secure log-ins, or using some more advanced AI type of machine learning capability.”
“Those would be my two key best practices. Do the basics right – hygiene, patching, get on the latest tech; and then secure the user credentials.”
Arrogance will be your downfall
Jason Hart, CTO at Gemalto suggests that the cyber criminals are exploiting the arrogance of organisations.
“Senior leaders must be situationally aware and ensure that employees only have access to the data that they need at any given point,” he says.
>Read more on Gemalto CTO: Beating ‘cybercriminals at their own game’
“Very few understand the critical importance of knowing the impact of people, data and business processes, and this is the weakness that cyber criminals are exploiting. There are those that are simply ignorant, who just aren’t looking or considering the impact of a data breach and those that are arrogant and believe they know it all, thinking that massive investment in the latest security products will stop a breach. But it’s this very arrogance that makes them vulnerable. In both cases, there is a serious lack of situational awareness.”
Avishai Wool, CTO at Algosec says that people in organisations should use a different password for every resource that requires one, and record it.
“Pick difficult passwords to crack, but are reasonable to remember. I like the concept of pronounceable passwords. There are apps and websites that can supply you with pronounceable passwords that are random but memorable.”
“Use a password manager, but not the password managers that are built into web browsers. I also don’t like websites that manage passwords for multitudes of people, as they become targets for attack. I prefer a local password manager that syncs between my laptop and mobile phone. I always have one of these with me, and so do an awful lot of people.”
Declare the intentions of every system
Uri Sarid, CTO at Mulesoft believes his tip is a non-obvious one.
“In order to actually be secure, start by declaring openly the intentions of every system,” he says.
“I think a lot of people assume that security is about hiding things and actually it’s about revealing exactly what the intention is. Nothing has to be done externally, but revealing what the intention is of every system, declaring the spec of every API, making every policy that’s applied completely evident, so that on top of that, you can go and secure it.”
“When you hide the capabilities of your system, you’re not hiding it from the hackers, you’re hiding it from the security people who will actually come and help you with it.”
5 recommendations to secure a big data environment
In terms of cyber security best practice tips, other than the basic hygiene (of having strong passwords in place, as well as basic perimeter protection like firewalls), Scott Gnau – CTO at Hortonworks – offers five recommendations to follow to secure a big data environment.
1. Set up a robust process to verify data quality and compliance: Take the time necessary to handle a robust audit of the data. This will help manage the regulatory compliance needs of a business better and to control the environment proactively.
2. Manage security centrally: Set up strong security policies, especially in terms of Identity and Access Management, by offering a unique and centralised security administration interface for all components with appropriate rights / permissions. Also, centralise governance, operation and security services.
>Read more on How to secure big data in the information age
3. Implement data access control and logging: Set up data filtering depending on the specific business needs, and ensure the solution embeds security functionalities dedicated to authentication, such as Kerberos or Apache Knox. Pay particular attention to privileged accounts and ensure the implication of those privileges are fully understood.
4. Log events: Prepare to dig into event logs and to find the origin of the issue if a data loss, a data theft or any other security breach occurs.
5. Ensure encryption of frequently accessed and randomly accessed data: Encryption provides an added layer of security by protecting data both when it is transferred and when it is stored (at rest), while masking capabilities enable security administrators to desensitise data for display or temporary storage.