BreachExchange mailing list archives
Do You Even Know What Cyber Defense Is?
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 21 Jun 2017 23:27:04 -0500
http://ww2.cfo.com/accounting-tax/2017/06/even-know-cyber-defense/ The days are long gone when you could simply install some software to block attacks. If something did get through, you just cleaned it and moved on or you implemented something to make sure employees didn’t access the wrong systems. That was information security. Today’s companies are tasked with something that was formerly the responsibility of the military and government, that of defending themselves from attackers. Today’s adversaries are cunning, determined, and happier to take down a small target than a large one. Small targets are less protected and have smaller budgets. And adversaries can use them to larger targets they can laterally move into once the smaller target is compromised. Protecting against these attacks is the goal of cyber defense. Although the enemies have changed, many companies they are just realizing that their defense posture is targeted at preventing malware and insider attacks, not cyber attacks. The technology they’ve deployed is patchwork consisting of solutions from multiple vendors that doesn’t work together. Typically, the corporate defenses against cyberattacks aren’t managed or monitored by experts. Ultimately, they’re not delivering on the promise of protection that the vendors of those disparate systems made. This is in no way that a country, in comparison, should defend its borders from invading hordes. Further, in an age where we’ve moved from historical accounting and future valuations to profit and revenues as the key market determinants, there’s a strong desire to control spending and reduce overhead. In the current environment, we’re seeing more complex attacks that employ sophisticated tactics even against smaller targets. Here’s a great example: I received a call from our intelligence team informing me that they had intel that a mid-sized company had been compromised. The attacker had control of all the company’s systems and was trying to sell the company’s confidential data on the Silk Road, an online black market that transacts business on the dark web. If the company didn’t pay the ransom in 24 hours, the attackers threatened, they would encrypt the company’s data and demand they pay him to decrypt it. Not wanting to give in to the attackers, the company didn’t pay the attackers. No one in the black market paid for the data in the 24 hours, and the attacker simply walked away, launching the ransomware campaign. The ransomware encrypted the customer’s entire data. The problem was that although company was equipped with good security products, it had no cyber defense program. No one had even considered it. Ultimately, the company suffered greatly and spent months trying to recover. WannaCry is another example. In that case, the hackers took advantage of a security vulnerability that for a lot of companies was still exposed. The problem was something that a standard information security program might have allowed to slip by for a time or go completely unaddressed. For companies with strong cyber defense programs, including defenses against attacks like Wannacry, the attack had no effect. Why is it that so many companies were caught off guard? We spoke to a great many companies that week and almost all of them were baffled and confused as to exactly what the attackers were doing and how they might have protected themselves. Although I know of many organizations that are striving to keep up with such threats, there are too many who don’t understand that cyber defense is not the same as a security program. The problem extends not only to C-level executives who aren’t responsible for security but even to those who are. What was formerly a good security program isn’t designed to provide the type of protection required to foil sophisticated attackers. Companies need a more global view of attackers tools, tactics, and procedures regardless of their size. There is no way to hire the skillsets and team sized needed to keep up with all the different attack groups and government sponsored adversaries. Cyber defense really requires a change in mindset. Leaders need to truly accept that they are under attack. This means understanding that there are a plethora of reasons that they might be a target. But acting as if no one cares about their company or their executives is naïve. Accepting this will change the measurement used to calculate financial risk models. A lot of the problem is that most non-IT C-level doesn’t have the time to properly educate themselves on cyber defense. Financial trade organizations should focus more on informing CFOs and their peers about cybersecurity. For their part, CFOs should make time for top-tier vendors to present to them just as they present to their CTOs. If we don’t do more to educate non-security C-level executives, the chances of making real headway for corporate cyber defense is limited. We need to get the message through to the executive suite and the boardroom that company-wide cyber defense is more important than mere information security. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Do You Even Know What Cyber Defense Is? Destry Winant (Jun 22)