1. Where is cyber risk management going wrong?
In many sectors IT professionals have an outdated outlook.
They often see their role in cyber security as maintaining defences against external attack. The reality is, however, that most cyber-attacks are in one way or other caused by staff inside the organisation’s security perimeter.
That can either be a security slip-up or falling victim to some clever social engineering on the part of the attacker to infiltrate malicious code inside an organisation’s systems.
Employees can be trained to spot socially-engineered phishing emails, but as a defence this can never be 100 per cent effective. Even in the most stable of organisations someone will inadvertently click on a disguised link inside a cleverly disguised email, causing a download of malicious code. It only takes one click for an entire organisation to be breached.
2. Why does this matter if companies store their data and applications in the cloud? Surely the cloud-provider will have advanced security?
The cloud has enormous advantages in scale and reduced overheads, but most cloud-providers don’t provide any significant enhanced security capabilities. Even those security features that are provided by the large cloud providers focus on traditional threat detection techniques. This makes them just as vulnerable as any in-house data centre.
In fact there is an increasing trend of hackers targeting cloud providers directly to get to their customers. Suborned members of staff in server farms or data centres have been known to place malicious software on servers, extracting data illicitly from a specific company. It can be a very long time before these intrusions are detected and when they are, a severe amount of data has been stolen, with serious consequences for the business or organisation.
3. What needs to change?
It’s not a case of “if” a data breach will happen, but “when”. Companies should shift their focus from defending against known attacks from the outside and concentrate instead on identifying attacks as quickly as possible when they do happen, taking rapid action to shut down the attack before it does any damage.
Within the organisation, security professionals need to think differently and consider how they can protect a company from human error.
4. What does that mean in terms of technology?
Most organisations try to protect themselves using anti-virus technology (AV) and firewalls. New malware is being created at an alarming rate by criminals and is undetectable using AV or firewalls which cannot keep pace. Firewalls fortify the company IT systems against external attack, whereas most data breaches tunnel under the defences using spear-phishing, employee security lapses and increasingly sophisticated social engineering to get a foothold inside the castle. Both techniques are inadequate against the increasingly sophisticated, bespoke cyber-attacks that can go undetected for months.
AI-based solutions that spot unusual patterns of data-use offers an intriguing alternative, but they are prone to generating many false positives. An organisation can end up in lock-down at times of critical usage or a change in business operations when there is a lot of legitimate traffic. It is also possible for a low-level, more gradual theft of data to go undetected without triggering any alerting mechanism. They also require significant expertise to install and maintain, beyond the capabilities of most organisations.
Whitelisting is a good solution for many users, but even here there are some pitfalls. Whitelisting servers match what is running on a server against an approved list, but the whitelisting servers themselves can themselves be hacked as a backdoor route into a target system.
5. What should organisations do now to protect their servers?
They must accept that security breaches will occur, either from deliberate, malicious acts, or through negligence. The shift has to be from manning the fortress walls to rapid identification and containment once the attackers are inside.
6. How do you achieve that?
You have to drop the idea of relying on AV or AI-based approaches and move to far more innovative and effective technology.
Advances in hardware-based cryptography and whitelisting technology have led to a step-change in server security. Distributed hardware-backed intrusion detection systems employ tamper-resistant hardware encryption modules which are built into most commercially-available servers. This renders the technology virtually impervious to hacking and capable of detecting nefarious activity within seconds, rather than the days or weeks it takes AV users to detect a new virus has bypassed their security.
The use of hardware cryptography prevents audit data from being tampered with or falsified by system administrators or the cloud-provider. Whitelist verification can also be carried out on multiple servers, each of which cross-check each other so the possibility of compromise from a single server is effectively eliminated. Your organisation cannot be vulnerable to any single point of attack.
7. How can this be effective security if a breach has already taken place?
Rapid identification of a cyber-attack within seconds rather than the months it can currently take puts an organisation on the front foot and allows for the fastest remediation possible. This provides effective protection against the devastating impact of security lapses and can dramatically cut the cost of responding to a cyber-attack.
With this technology, verification can take place from any server anywhere in the world. As a cloud-user you don’t have to rely on your cloud-provider to check on the security of your data – you can do it yourself from wherever you choose. You will know almost immediately that unauthorised software has been infiltrated onto the server holding your data, enabling fast containment and nullification action. It’s even possible to cross-check your own employees to eliminate unintentional security lapses or even malicious acts by an authorised administrator.
8. What about the evolving nature of cyber threats?
Cyber security is one of the fastest developing areas of technology but the deployment of a new-generation solution combining hardware-based cryptography and advances in whitelisting will future-proof any organisation. It is the kind of technology that addresses tomorrow’s threats as well as today’s.
David Blundell, Founder, CyberHive
Image Credit: Pavel Ignatov / Shutterstock