Despite the ever-increasing expertise in cyber security, the number of serious hacks is not decreasing. How did this happen? And what choices do you make as a company to deal with that reality?
The cyber landscape is changing, but this should not surprise anyone. This is evidenced by a round table discussion conducted by HP Wolf Security. Ed Amoroso, CEO of Tag Cyber, Danine DeFiora, CISO at United Airlines, Kurt John, Chief Cyber Security Officer at Siemens USA, Joanna Burke, CISO for HP Inc., and Dr. In a digital conversation moderated by Ian Pratt, his insights on a variety of topics.
“Why do we keep getting hacked?” Amoroso raises a central question. “We are putting so much money, time and people into the problem, why don’t we solve it?” Experts agree that complexity plays a role on both sides.
Complexity and Inheritance
On the one hand, there is the complexity of the organizations themselves. Companies grow and become more complex, but they also carry their history with them. “Many security problems have inherited roots,” Pratt says. “The tools were born in the 1980s, when security was not a priority. They guarantee a nearly infinite supply of vulnerabilities.”
Legacy guarantees an almost infinite supply of vulnerabilities.
From his role at Siemens, John is closer to the OT side of the security story. He confirms what Pratt says. “Machines are made to last sometimes half a century. The life cycle of software is very short. Now that infrastructure is being modernized through digitization, there is a risk involved.”
Pratt: “Luckily, junk is usually cleaned up faster than it is made new. It will be decades before infrastructure is replaced everywhere by new devices with a security-first approach. ,
On the other hand, you should not underestimate cyber criminals. They too are evolving towards more complexity. “We sometimes forget that threat actors have successful enterprises,” says John. “They are people with a business instinct who are mainly there for the money. They divide the profits, collaborate and deploy their specializations as a service, by analogy with legitimate companies.”
Pratt: “Criminal organizations also invest in R&D. They don’t have time to exploit things better and focus on one company, but rather looking for weaknesses that affect multiple organizations at the same time .” He is referring to Log4j and Kaseya.
Burkey notes the same thing: “Previously, attackers attacked a single victim in a one-to-one ratio. Today, attackers seek equality among hundreds or even thousands of victims. That’s how they can do the same thing with many more victims.” can make.”
Resistant but not immune
All experts in the panel agree that in the current landscape it is virtually impossible to rule out incidents. It is therefore important to choose the right focus. “We are talking about a shift from cybersecurity to cyber resistance,” says DeFiora. “The organization must remain operational no matter what happens in the cyber landscape. Crisis management must therefore be ingrained. You have to be able to respond to an attack without bringing the company to a halt.”
We speak of a shift from cybersecurity to cyber resistance.Deneen DeFiora, CISO United Airlines
John also thinks it’s important to look at what’s really critical within a company. “Those are the assets you need to focus more closely on.” In the current climate, a successful attack should no longer be a surprise, but you must have a plan in place.
Of course, this does not mean that the battle is lost, and you have to accept the fact that an attacker will sooner or later find a way out. You can do a lot. “There are a lot of vulnerabilities,” Pratt says. According to him, there is no way to protect yourself from it on an individual basis. “You have to look for solutions that can tackle the whole class of problems. If you cover the hazards in the whole category, it doesn’t matter that new variations emerge.”
There are some basic principles that, according to Pratt, have stood the test of time and from which you can expect to be a good foundation for building secure systems. One such important principle is that of limited privileges. “Reduce the access rights of a person or application in a manner that is strictly necessary.” The entire panel noted that attacks still often have a human component. Is convinced to execute a file or click on a link. From there the hacker keeps working. By not giving unnecessary access to accounts, you make it difficult for an attacker to do too much damage.
Another important principle is process separation. “Put things in a container. If something goes wrong, the infection will not spread. Sooner or later something will go wrong, but that way you limit the impact.” Pratt thinks these two techniques are not time-sensitive, and finds them suitable for retrofitting new systems and old ones. .
In short, everyone confirms that one hundred percent protection does not exist, but based on the right principles, you can go a long way. “IT security should become part of the corporate culture,” Burke says. She notes that the conversation in this regard is becoming more mature. “It’s more about the business. Cyber security is becoming part of good business management.”
What about transparency?
Furthermore, you should not hope that a successful burglary will never happen, but you must ensure that such a burglary is quickly detected within your company. Then it is a matter of having a good response ready that solves the threat, without affecting the core activities.
Finally, what about transparency? There the CISOs suddenly speak a different language. No one on the panel is a big fan of disclosure . Here we notice that we have a thoroughly American panel in front of us. Although all participants find it important to learn from each other, they all have a reason ready that explains why reporting hacks is a bad idea. John believes that too much transparency can give the competition an advantage. DiFiore believes it is important to have a clear business outcome when it comes to external communication and Burkey recommends being creative about what disclosure means. “Is it always useful to share something?” she wonders.
In Europe, this issue is now a non-discussion: if personal data is involved, you as a company must notify a hack. This is determined by the GDPR. However, the tone of CISOs suggests that the minds are not yet ready for too much transparency about cyber security in large enterprises. This creates a vicious circle in which hacking itself remains a taboo. Why are we still getting hacked? Maybe partly because we’re too afraid to transparently communicate about the hack.