For IT professionals, the security landscape is constantly changing, with new threats regularly cropping up and new ways of combating cybercrime trying to keep up.
Yesterday, cyber security expert G. Mark Hardy delivered a morning keynote address at Sector 2013, a conference on all things information security-related in Toronto. The conference ran from Oct. 8 to Oct. 9, with a training day on Oct. 7.
As the founder and president of National Security Corp., Hardy gave conference attendees a snapshot of where cybersecurity stands today. Here are three tips from his talk, geared towards today’s security professional.
1. Be aware that threats can come from any quarter.
Many of the big, headline-grabbing threats come from the People’s Republic of China, Hardy said during his keynote address to Sector attendees. Organizations like China’s APT1 work slowly, often attacking victims and steal data for months before they’re noticed. APT1’s longest project lasted four years, 10 months, he adds.
But not every hacker is as sophisticated and organized as APT1. There are still plenty of hackers on local soil who are less-equipped, but who can still access your databases if you leave them open, Hardy said. This garden-variety version of hacker has had the benefit of a whole industry around “hacking as a service.” There are even Skype discussions and chat rooms open to those who want to learn to mount attacks, he said.
Hardy recounted the story of the time he went to buy office supplies at a store, with a young employee helping him move his packages to his car. The employee asked him what he did for a living, and he told him about his position in security. The employee then responded by saying he’d dabbled in hacking as a member of Anonymous, and had since moved onto other things.
It just goes to show the potential for hacking has become so widespread, Hardy said.
“The battlefield out there is pretty much the entire Internet,” he said. “Your system … can suffer even if you don’t have a dog in the fight because you just happen to be there.”
2. It’s your job to inform upper management of security risks, and communicate them well. But if executives aren’t listening to you, it’s time to update your CV and move on.
Sometimes, it can be a frustrating task to try to tell the CEO why something should or should not be done, especially if he or she is not technical and does not believe security is a high priority.
But as frustrating as it may be, it is still your task to do that, Hardy said.
“The core responsibility of an IT security professional is to ensure management makes informed, risk-based decisions. By communicating the security posture in terms management understands, in a way that’s actionable from a business perspective, you fulfil the purpose of protecting the enterprise,” he said.
“It is the security professional’s responsibility to bridge the communication gap, not the other way round, because otherwise you end up with a lot of fingerpointing.”
For example, if your CEO wants to allow all of your organization’s employees to bring their own devices without constraint, it may not be the most prudent thing to say no. A flat refusal often prompts people to either ignore you or to rebel, Hardy said.
But by clearly saying it’s OK to bring personal devices into the office, but set limits upon those devices and explain why those limits are there, people will be less likely to brush the rules aside. They will also be better educated on cyber security, he added.
However, if you’ve done your job and management still hasn’t gotten the message, it may be time to find another place of employment, Hardy said. It doesn’t take much to go from Chief Security Officer to “Chief Scapegoat Officer.”
3. If you’re an IT professional working in a small to mid-sized business (SMB), you’re an attractive target.
While it may seem almost counter-intuitive that SMBs would be a lure for hackers, many SMBs don’t do enough to secure their data or the data of their customers. That makes them an easy grab for hackers looking to make away with contact lists or credit card numbers.
A major part of the problem is SMBs’ IT departments often don’t have as many people or resources as larger organizations. So what SMBs should do is ensure they’re protecting their most vital assets, Hardy said in an interview.
“Know what is to be defended. Identify what your expected threats are, and what their capabilities are,” he said.
“It’s the intersection of the threat and the vulnerability that represents risk. And as a result, to manage your risk, you have to understand both. If you don’t know what you need to protect, or if you don’t know how it’s exposed, or you don’t know what your most likely threats are, it’s very unlikely you’ll be able to be effective in protecting your enterprise.”
Beyond understanding what’s most valuable within your SMB, it’s important to use industry best practices. He lists sans.org as a good resource for cybersecurity programs and training.