Security By Design Shouldn’t Be Like Groundhog Day
The increasing exploits and attacks of the past year have shown us that security needs to be treated as commodity in an organization. Just as there is coffee in the break room, there should be security in your processes. The culture of security needs to be built into the design process itself and today it’s just as important as both marketing and sales.
We’ve seen major breaches occur this year which have destroyed organizations reputations, revenue streams and careers. An example of this would be Equifax loosing close to 4 billion dollars in market value after their breach. Even more worrying, 143 million people lost their privacy. We need to treat security as the glue between our businesses processes to not only keep them profitable, but to protect the sensitive data we’re working with and users that rely on us to protect it.
The future of security sometimes feels like we’re living in the Bill Murray movie “Groundhog Day”. In Groundhog Day, Bill Murray wakes up every day doing the same thing and eventually has to break out of this maddening pattern. Bill Murray’s character describes his existence as, “It’s the same thing every day, Clean up your room, stand up straight, pick up your feet, take it like a man, be nice to your sister, don’t mix beer and wine ever, Oh yeah, don’t drive on the railroad tracks.”
The future of our security programs shouldn’t be a dull existence where we expect to be dealing with the same issues every day without making significant progress. It should be one of constant progress building off the building blocks of your program.
In my opinion the future of security starts with getting back to the basics. We need to take a step back and evaluate the threats of today and how they’re occurring. If we do this and start reviewing how the majority of the attacks are occurring we’ll notice the basics not being done efficiently. We’ll see that vulnerability and patch management is lacking to an extent where we’re literally giving attackers free shots at our systems. We’ll also notice a lack of security awareness that’s actually fun or interesting for users, instead of having the same droning PowerPoint drag on about what you shouldn’t be doing. Or we’ll see that proper segmentation, logging of critical alerts, two-factor authentication and encryption of sessions and data is still not completely being done. We can’t move into the future of security without doing the fundamentals of the past.
Before we start getting into the technologies and vendors that assist with detecting and preventing against attackers we need to instill fundamental concepts of security into our programs. It’s like going to school and failing at calculus because you’ve never taken algebra. You’re going to have holes in your program if you don’t do the basics first and that’s a great example of why the New York State Department of Financial Services released their 23 NYCRR 500 regulation to establish a minimum level of security throughout their requirements.
There are new technologies being developed which are allowing these fundamentals to be easier obtained. With the increase of artificial intelligence in security systems, , we’re seeing the use of big data being used to assist with baselining behavior within our network. This allows us catch issues we might not have been able to detect in the past. The industry is saturated with vendors touting this now and I don’t think it’s going to stop anytime soon. It’s a maturing area of technology and one I think we’ll see great growth in the future.
Another area we need to focus on within security is being able to orchestrate and automate to increase our ability to defend against attackers. This means the ability for our systems to become aware of each other and how they integrate into each other’s process (via API’s). This is a design feature that when building an architecture or looking for new systems we should be aware of. Being able to alert, detect, prevent and recover from an incident in an automated fashion is something I think the industry will also be moving towards and one we should consider when building security into our organizations after we’ve completed the fundamentals.
Recently we’ve seen attackers take advantage of vulnerable systems with the NotPetya and Equifax incidents, but we’ve also seen the security community rise together and collaborate to defend against threats like Mirai and WireX from propagating further. We need to put security first to not only protect our revenues, but to protect our sensitive data. AK-12 school district had the names and addresses of all students released to the internet which not only puts these children’s privacy at risk, but could put them physically in harm’s way. It’s not always about money when these breaches occur, it’s about the privacy of the users being lost.
It’s our responsibility to protect this data and the future of cyber security isn’t in a “magic box” that’s going to fix all your issues. It’s bringing awareness, following the fundamentals and growing your program with advanced technology after the basics have been completed. We need to change our mindset now and build security in as part of our DNA and stop chasing silver bullets. Like Bill Murray said in Groundhog’s day, “I’m not going to live by their rules anymore.” We should follow his example by building in security today and stop the perpetual data breaches we see on a daily basis.
By: Matt Pascucci
Cybersecurity Practice Manager, CCSI
“FOR MORE THAN 40 YEARS, Contemporary Computer Services Inc (CCSI) has provided clients in both the private and public sectors with a rock solid foundation on which to secure their organization’s future. We recognize that every client and every industry is unique. Therefore, we never take a cookie-cutter approach when designing IT solutions. In fact, we consider it our responsibility to find the strategy that suits each client’s individual needs. CCSI offers turnkey and custom cybersecurity solutions that feature field-tested products and services from proven vendors. We help customers understand what they need to meet their security and compliance goals.”