Only the paranoid survive
August 2017, This Week's Editor's Pick, Cyber Security, Integrated Solutions, IT infrastructure
Without question, there is no shortage of cyber problems in the world today. Whether you’re a government, a hospital, a global corporation, a small business or an individual, you should be paranoid because they are out to get you.
The common thought in the minds of most people is that they are too small or insignificant to make a difference to cyber criminals. In a traditional crime scenario this may be relatively true, but in the age of the Internet and big data, even the smallest and most insignificant cog in the wheel is worth something, even if it is only there to demonstrate how much the criminals have stolen.
But how do the average person and security operator in a company handle the seemingly continual threat of cybercrime, whether from viruses, Trojans, spyware, ransomware as well as directed attacks via hacking or DDOS and so forth? What tools and processes should be in place to deal with these issues and at least provide some form of protection?
If your cyber defences were put under scrutiny in a court of law, what would be considered ‘reasonably and appropriate’?
There is no set answer to this question; however, waiting for something to happen is not reasonable or appropriate. Riaan Badenhorst, GM at Kaspersky Lab Africa says that as cyberthreats against businesses of all shapes and sizes continue to become more sophisticated and prevalent, it is no longer good enough to merely be reactive towards these risks.
“Companies need to look beyond the traditional viewpoint that cybersecurity only entails a firewall, an anti-virus solution and some Internet filters. Instead, it has evolved to become a process or strategy that is completely integrated into the running of the business. Understanding this strategy is the best way to determine what a business needs in terms of protection.”
He adds that to best understand what this strategy needs to look like, a business should examine the security process itself and gain an understanding of the four distinct, universal phases of IT security. These include:
• Threat prevention is the better understood phase in most local businesses. Threat prevention is mostly covered by technology – be it a firewall or anti-virus solution. Most businesses know that they need to block each and every one of the generic threats emerging, and so they have this phase covered by implementing an IT security solution.
• Detection of sophisticated and targeted attacks, on the other hand, is more complex. This phase requires a business to invest in advanced tools and expertise, but more importantly, this step requires time to identify the indicators of an attack, spot an incident, investigate it and mitigate the threat.
• Once this has been completed, responding to the threat then becomes crucial. This step requires unique skills of forensic experts to ensure that the response is effective and that the threat is dealt with entirely.
• Finally, the prediction of future attacks and understanding the attack surface defines the long-term strategic defence capabilities of a company. This is becoming an essential part of an effective IT security strategy today given the advanced threat landscape businesses are dealing with. This is done through running penetration testing and other kinds of security assessments.
Considering this, companies need to invest ‘differently’ to ensure they are better protected against attacks, whatever the source or method of attack used. According to Kaspersky Lab researchers, 80% of the security budgets of companies are spent on preventing security breaches. However, only 20% goes towards strategies actually designed to detect attacks, as they happen, and respond to them to minimise any damage, and to help predict future attacks.
Integrated, end-to-end security
Paul Williams, country manager for southern Africa at Fortinet echoes this sentiment, noting that the information security threat landscape is now so diverse and sophisticated that organisations need a fully integrated, end-to-end security fabric to mitigate the risks.
“Organisations across South Africa are re-evaluating their entire security and risk profiles and moving to manage physical and cyber risk in a more integrated and cohesive way. “The new approach is to seek an integrated, intelligent solution with single pane of glass management.”
Mitigating the plethora of cyber risks in your cloud environment as well as your traditional data centre demands a comprehensive and strategic approach, he says. “In South Africa, many content providers and website owners are inadequately protected, and have not considered the implications of the risks they face. A site accepting electronic payments may well have adequate payment gateway security, but any business moving to online functionality or implementing a customer-facing web page faces risks such as SQL injections, cookie poisoning to divert users to phishing sites, site defacement and content scraping. Any of these threats could cost the business in terms of financial losses, fines and reputational damage.”
Every business must assess the entire environment and consider the risks, compliance requirements and security features needed across hosting, networks, data, transactional environment, web pages and apps, and implement a security fabric that delivers control, integration, and easy management of security across the entire organisation, from IoT to the cloud.
Ignorance is not bliss
While Hi-Tech Security Solutions readers will have come across the concept of insider threats before, with respect to fraud for example, the insider threat is just as dangerous in the cyber environment, if not more so. Not only will companies have insiders working for their own or others’ ends, they also need to deal with people who make mistakes by opening attachments they shouldn’t or clicking on links to malicious websites.
“The unknowing user is still one of the biggest security risks facing enterprises today,” says Williams. “No matter how many policies you put in place, there will always be the risk of a user falling victim to a phishing attack, or clicking on a malicious mail. The only way to mitigate that risk is an intelligent sandbox that augments your security architecture by validating threats in a separate, secure environment.
Badenhorst adds that Kaspersky’s research shows that around 80% of all cyber incidents are caused by human error. “In fact, uninformed or careless employees are one of the most likely causes of a cybersecurity incident, second only to malware.”
While malware is becoming more sophisticated, the sad reality is that the evergreen human factor can pose an even greater danger to businesses. While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist on a business, they will likely start with exploiting the easiest entry point – human nature.
The best way of protecting organisations from human-related cyberthreats is to combine the right tools with the right practices. This should involve HR and management efforts to motivate and encourage employees to be watchful and seek help in the case of an incident. Security awareness training for staff, delivering clear guidelines instead of multipage documents, building strong skills and motivation and fostering the right working atmosphere are the first steps organisations should take.
While a business is not able to defend itself against malicious employees and while there is no such thing as being 100% secure, following a strategy as outlined above and being proactive around security will go a long way in ensuring that if such an occurrence takes place, the business is able to respond quickly and minimise the risk.
So what choice do you make?
Security veterans know there is no such thing as a 100% secure solution, whether you are looking at securing a house or a data centre. However, they also know that with proper planning and the right selection of technology, one can attain a reasonable level of security. So what are the solutions one needs that will make their lives so miserable they decide to look elsewhere?
Due to the fact that no two IT infrastructures are exactly the same and because the most powerful cyberthreats are tailor-made to exploit the specific vulnerabilities of the individual organisation, Badenhorst believes effective solutions and services need to be tailored to the different needs of the business.
To determine what these are, businesses can undertake the following:
• Penetration testing – identify the weakest points in your infrastructure.
• Application security assessment – uncover vulnerabilities in applications of any kind, from large cloud-based solutions, ERP systems, online banking and other specific business applications to embedded and mobile applications on different platforms (iOS, Android and others).
• Digital forensics and malware analysis – reconstruct a detailed picture of any incident using comprehensive reports, including incident remediation steps.
Once this assessment is undertaken, a business should then invest in business security solutions based on their most pressing needs. Such solutions, however, should offer managed protection – security platforms that will provide round-the-clock monitoring and the continuous analysis of cyberthreat data (CyberThreat Intelligence), ensuring real-time detection of both known and new cyber espionage and cyber criminal campaigns targeting critical information systems.
There are a multitude of solutions on the market, notes Williams. If these solutions cannot be integrated and managed in a cohesive way, the organisation cannot effectively manage risk and cannot react instantly should it come under attack.
You need help
Along the same lines, Badenhorst says it can be very challenging to develop the kind of expertise needed in-house and, of course, it can also be expensive. In these circumstances, it seems more reasonable to use an external service from a professional IT security consultant or global player.
“This is where the role of the security vendor needs to change and add real value for a business providing and sharing their expertise to ensure a comprehensive approach is applied to fighting cyberthreats for the business. In doing so and in having the right intelligence and services, companies can be prepared to predict and detect attacks – and of course, to respond to them effectively.
At the same time, both agree that security can’t simply be handed over to someone else, no matter how qualified they may be. Each company must remain in charge of their security, making use of the best skills and technology available, because accountability remains with the organisation itself.
Williams notes that Fortinet solutions, including FortiGate enterprise firewalls, FortiWeb, FortiDDOS, FortiSandbox and FortiMail platforms are powered by the security services developed by FortiGuard Labs, where a number of expert researchers and analysts around the world develop tools and technology and study breaking threats. They then update FortiGuard security services to protect against those threats. FortiGuard Labs uses data collected from more than three million sensors around the globe to protect more than 300 000 customers every day.
When asked for more specific recommendations, Badenhorst believes that the optimum solution to the problem of fast incident discovery is actionable security intelligence. This means being able to spot an attack at any point using a variety of methods.
“While typical prevention tools focus on analysing activity on endpoints, an additional layer of security has to be in place today (what we at Kaspersky Lab call ‘Threat Intelligence’), a service offered over and above products, to ensure new protection techniques are made available to customers based on Kaspersky Lab’s unique intelligence and expertise.
“Over and above this, we would recommend that organisations invest in business-specific solutions that can proactively detect targeted attacks against a business – so that the business can prevent ongoing damage. Such a solution/platform must be able to work alongside the existing security software, boosting the overall security for the business.”
For more information, contact:
• Fortinet: www.fortinet.com
• Kaspersky: www.kaspersky.co.za