Cyber Security – Addressing Root Causes - The Need to Implement Modern Security Practices (Part 3)

As discussed in the first Pulse article on this subject, in June of 2015, I testified before the Senate Appropriations Subcommittee on Financial Services and General Government on the Office of Personnel Management (OPM) data breaches. Given I never worked at OPM, my testimony described broader systemic issues that must be addressed if we are to better protect our government’s data and IT systems. I am presenting the substance of that testimony in a series of Pulse articles covering the root causes of IT security issues along with presenting recommendations to address those root causes.   And while the OPM data breaches occurred in the Federal Government, I see very similar cyber security issues affecting private sector organizations as well.  

The four root causes outlined in the first article I presented are:
Lack of IT Management Best Practices,
Misguided IT Security Practices,
Slow and Cumbersome Acquisition Process, and
Shortage of Talented Cyber Security Professionals.

The remainder of this article addresses the weakness of Misguided IT Security Practices. Given the complexity of IT environments for large organizations, one must assume that it is virtually impossible to protect all elements of your IT environment. Further, with the interconnectedness of systems and the rise of cloud computing, there really is no boundary to an organization’s IT environment. And finally, even with good protections in place, most breaches are caused by user error, and while we can constantly work to educate the workforce, mistakes (and hence breaches) will continue.

Given these realities, and based on what is evolving in the cyber security industry, there are three significant areas in which organizations need to be aiming in terms of improving IT security practices:

1. SECURITY DETECTION TOOLS. There is without a doubt a continuing need to pursue cyber security tools to prevent intrusions, but perhaps even more importantly, detect them quickly when intrusions do occur. A number of products identify and protect against known “signatures” or characteristics of malicious activities, thereby preventing those intrusions. However, more advanced protective capabilities are required to prevent intrusions that the government is not yet aware of, thereby further reducing the government’s attack surface. With enhanced automated protection, network defenders can then focus on detecting and remediating only the most sophisticated and potentially dangerous attacks – rather than trying to decide which of the seemingly endless alerts to pursue today. The cyber security product industry has made great strides in these areas in the last few years, and the industry is working to move to a model in which the most advanced tools for prevention and detection that leverage threat intelligence from users all over the world.
2. IDENTITY MANAGEMENT. Even with the most advanced prevention tools, organizations need to assume that sophisticated adversaries will still gain access. So alternative approaches are needed, and in particular, ones that rely on creating more trust in online interactions. The root of all trust is verified identity. With a high degree of certainty, organizations need to know who is accessing their systems and data, and in the online world, multi-factor authentication methods are key to doing that. There are a plethora of newly available technologies to enable multi-factor authentication for both and internal user as well as external users. Even though the root of trust is identity, there is more to the trust equation. In the “physical” world, I trust another because I have high confidence they will act in a manner that I expect. Some of the most damaging data breaches have come from individuals that were properly authenticated and authorized to use systems and access data. Their behavior, however, was not in keeping with what was expected. This is commonly called the insider-threat problem. There are new technologies and capabilities today that can bring in other context, such as an audit log or behavioral analysis systems to assess someone’s trustworthiness on a regular basis. These additional factors, beyond those used to assess authenticity, are key to fully establishing and monitoring trust.
   
3. PROTECTING SENSITIVE DATA. Finally, organizations need to target additional protection of an agency’s most sensitive information, whether it’s data sets or documents. Tools and products exist that enable organizations to protect information, independent of the likely insecure environment in which they operate. Organizations need to focus on their most valuable information. Recognizing that there are limitations given some of the antiquated systems in which such information may reside, but by focusing efforts on the most sensitive information, an organization can ensure, within a relatively short time, that only trusted parties have access to an organization’s most sensitive information. This would go a long way toward thwarting additional major and damaging data breaches.

Organizations need to move away from a system-by-system approach to IT security, and as described above, move to a model of enabling a holistic IT environment approach to prevention and detection, verified identity as key to establishing trust in another party, and data protection, both when at rest and in motion. These steps enable organizations to more confidently operate and protect sensitive data in an insecure environment.

Join me in the ever-evolving Cybersecurity conversation here:  http://blog.learningtree.com/en/category/cybersecurity/