2 May 2015

Ignore cyber fears and get the basics right, say infosec experts

April 28, 2015

For all the talk of cyber-warfare and black-hat hackers, most information security experts still get the basics wrong, said speakers at today's 44CON conference in London. 

Ignore cyber fears and get the basics right, say infosec experts 

In recent months, there have been various reports on Russian, Chinese and Iranian state actors being behind a range of Advanced Persistent Threat (APT) campaigns, doing everything from stealing IP and financial records to accessing Barack Obama's emails, as discovered just earlier this week. Also this week, one expert warned that the British Rail network could be hacked by clandestine hackers. 

But at 44CON in London earlier today, two cyber-security experts, including a current head of information security, said that the threat is overstated, with human errors remaining far and away the biggest concern. 

Quentyn Taylor, head of information security at Canon EMEA, opened the conference with his presentation on ‘Not following the herd – how to make your voice matter in the corporate world'. In it, he said that cyber-war is old and exaggerated news, and not often a direct threat in day-to-day activities. 

Instead, he pointed to Verizon's DBIR report which continues to show that web attacks and poor patch management are still the main causes for concern, with OWASP 10 guidance largely ignored. 

“It's fashionable to focus on the black swan events like cyber-espionage but we ignore the fact that patching is generally done very, very poorly. The basics are absolutely being forgotten and there is a mentality to focus on new things.” 

Taylor said that CISOs, head of information security officers should be asking themselves what they understand, are they getting the basics right, and said that Canon has taken the view of "being both in the dance and on the balcony". This, he said, involves being "in the thick of operational aspects", while occasionally stepping back onto the balcony to get a broader picture of “what hell am I actually doing here.” 

Using the herd analogy he said that wildebeests would be much better informed, on migration for example, if they could take a helicopter view around commonly held conceptions. 

Subsequently, he says information security officers would be better advised to understand the baseline and the acceptable risks, and to be prepared to to go against the grain – even if it means disagreeing with superiors. 

“If you're a CISO, a head of security or aspire to be one, you're a leader and need to do two things. It sounds obvious but you need to lead. In the herd, you need to understand why you're in the herd, and on the basis that you've seen and understood the landscape.” 

“Also, take risks. It sounds weird for an infosec person say take more risks, talk to business people and ask how can we take more risks? That's what doing the business is doing.” He added, interestingly, that his focus was to be “no less secure” than his competitors, insisting that if it was significantly more secure he would be worried he was “spending too much.” 

In a later presentation, independent cyber-security consultant Dr Jessica Barker partially touched on Taylor's points, saying that too many security managers prioritise tech over training. Furthermore, she said that employees would often be paralysed by fear over cyber-attacks, and would be blamed in the event of an incident. 

“We talk about fear a lot, about cyber a lot, but often in the wrong way. Using fear of changing behaviour has a lot of negative impact if we don't use it in the right way.” 

“It's also amazes me that the people who will blame users as the problem, never say that users are the solution. They always think the solution is in technology. There's a bit of a tendency in infosec to blame users rather than find solutions and work with them." 

She said that victim blame culture such as this comes from the 1970s and 1980s and can also be seen in literature, from Frankenstein to Gollum. 

Frankenstein, for example, was rejected by his creator “and responsible for everything negative that ensues” while Gollum was treated harshly by Sam and Frodo and his “moment of redemption is lost, forcing him back into negative behaviour.” 

“How we treat people has an influence on they how behave and how they will perform. We will keep seeing poor behaviours” said Barker. 

“The biggest problem in infosec is not the users,” she said. Barker added that companies should “not reject good in the pursuit of great” and “to take encouragement from improvement.” When speaking to SC she later cited Proofpoint research which, while indicating a change of tactics, indicated that that social media lures were improving. 

“The word ‘users' has very negative associations, and normally when you talk about users you're talking about someone who uses something in a negative way,” she said, citing drugs and prostitution. “It's unhelpful.” 

No comments: