More than three billion people use the internet. Some are connecting with their smartphone and others on laptops. Regardless of the device, we are constantly sending personal information up into the cloud. Bank accounts, social security numbers, location history, contact information — you name it — are all being transmitted to companies and platforms alike. Cybersecurity is more important than ever.
Consider the latest investigation into how much data major platforms store. Dylan Curran, an IT consultant, looked into how much data was being collected on him by Facebook and Google. The result: over 5GB of downloadable data from Google and around 600mb of data from Facebook. Looking beyond the creep factor, do we trust these platforms to keep all of this data safe?
As we’ve seen from the #DeleteFacebook movement, trust is a differentiating factor in products. Corporations not only have to be transparent about what data they collect, but also how that data is secured. Just look at Equifax for an example of how lapses in cybersecurity can put millions of customers at risk and destroy a company.
A reasonable amount of fear and skepticism is healthy when using platforms and applications. However, becoming a digital hermit is no solution. The same technologies that are responsible for the great innovations of our time are also responsible for a growing vulnerability to cyberattacks. As things become more connected, they become more valuable for the consumer. At the same time, they become more complex and more vulnerable.
Looking forward, what can we do?
We have a responsibility to improve cybersecurity practices at both a personal and enterprise level. The issue is not just an ethical one — corporations have a financial incentive to make sure that consumer information (in addition to corporate information) remains secure and protected. Data breaches impact consumer confidence.
According to Juniper research, “The average cost of a data breach in 2020 will exceed $150 million by 2020, as more business infrastructure gets connected.” Attacks are not only becoming costlier, they’re also becoming more frequent. According to a recent IBM report, 94 percent of C-Suite respondents “believe it’s probable their companies will experience a significant cybersecurity incident in the next two years.” Findings from an A.T. Kearney survey echo this sentiment: “85 percent of [executives] of the belief that cyber attacks will become more frequent and costly.” And 71 percent of C-Suite respondents to a Bae Systems survey cited cybersecurity as their most significant business challenge.
With the increased volume and severity of attacks, corporations are compelled to face this problem head on.
The Need for Cybersecurity Awareness
Despite the severity of the problem, many decision makers know little about cybersecurity:
“70% of business executives—not 70% of CTOs, CSOs, CIOs—but 70% of business executives in general, in any industry, have made a cybersecurity decision for their company despite the fact that no major MBA program teaches it as part of your normal business management training and responsibility.” – “Cybersecurity and Cyberwar: What Everyone Needs to Know.” Peter Warren Singer, Feb. 2014
“91% of non-executive directors at the highly vulnerable companies cannot read a cybersecurity report, preventing them from asking the right questions and validating the data that technical leadership provides.”- Bridging the Accountability Gap: Why We Need to Adopt a Culture of Responsibility.” Orion Hindawi, Apr. 2016
“2 out of 5 respondents across non-executive directors, C-level, and CIO/CISO-level respondents who admitted they don’t feel responsible for the repercussions of a cyberattack, it’s easy to see why the Accountability Gap is growing.” –“Bridging the Accountability Gap: Why We Need to Adopt a Culture of Responsibility.” Orion Hindawi, Apr. 2016
Resource: How much do you know about cybersecurity?
- “Cybersecurity Knowledge Quiz.” Pew Research Center
Not My Job
Who’s responsible for cybersecurity? The Board? The CEO? The CSO? The CISO? The IT department? Company managers?
In the HBR article, “Is Anyone Really Responsible for Your Company’s Data Security?” Joel Brenner puts it eloquently: “Cyber security involves legal issues, human resources practices and policies, operational configurations, and technical expertise. But while each of these silo chieftains — the general counsel, the HR director, the chief operations officer, and the IT director — owns a piece of the problem, some of them don’t know it, and none of them owns the whole thing.”
We make the case that everyone is responsible. For security to play the foundational role it must in order to be effective, it needs to have champions across and within every department, not just IT. While the IT department certainly has some control over security practices across the company, rarely do cyberbreaches originate from a hole in a firewall or breakdown of similar safeguards.
“only 28% of critical breaches are due to inadequate technology — 72% of critical breaches are due to organizational, process and people failures.”
“Building a Cyberresilient Organization.” Stefan Deutscher, Walter Bohmayr and Alex Asen, Jan. 2017
(That being said, when a company suffers a breach, the spotlight generally falls on the tech.)
If you leave this article remembering only one thing, it should be that cybersecurity silos need to be dismantled and responsibility should be spread company-wide. Alright, maybe another thing we want to leave you with above all others: use non-SMS two-factor authentication and a password manager.
How this primer is organized:
This guide is meant to provide a foundation for decision makers and employees on the security issues surrounding the platforms we use and the products we make. For ease of reference, this piece is broken up into the following sections:
- Significant Cyberattacks of the 21st Century→ To provide context for cybersecurity analysis, it’s important to look at some of the major attacks that have been at the forefront of media coverage.
- Attacker Characteristics→ Attacks can truly come from anywhere. Any misguided assumption of threat origin impedes an organization’s ability to prepare for an attack.
- Targeted Industries→ Understand the characteristics that make an organization attractive to cyberattackers.
- Common Types of Cyberattacks→ Cyberattacks come in many shapes and sizes. Despite the ever-evolving variants of attacks, the methods can generally be distilled down to nine different mechanisms.
- Vulnerabilities→ The first step in combating cyberattacks is awareness. This section illuminates vulnerable areas in your firm’s security and your personal security.
- Prevention→ A look at the people, process, and technology solutions that can be implemented to prevent attacks.
- Response→ Given the ubiquity of cyberattacks, firms must assume a breach will occur. This section goes over considerations for responding to an attack.
Significant Cyberattacks of the 21st Century
“97% of Fortune 500 companies know that they’ve been hacked. And the other 3% have been, too, they just aren’t willing to admit it to themselves.”
“Cybersecurity and Cyberwar: What Everyone Needs to Know.” Peter Warren Singer, Feb. 2014
Data breaches that end up in the media spotlight are a small fraction of total breaches. A quick web search finds that companies that are commonly seen as impenetrable (Google, Amazon, Apple, etc.) have all been breached (and these are only the few that have been reported).
To provide context for cybersecurity analysis, it’s important to look at some of the major attacks (according to Taylor Armerding in a September 2017 assessment) that have been at the forefront of media coverage.
- Date: 2013-14
- Impact: 1.5 billion user accounts
- Method: unknown/undisclosed
- Adult Friend Finder
- Date: Oct. 2016
- Impact: > 412.2 million user accounts
- Method: Local File Inclusion vulnerability exploited
- Date: May 2014
- Impact: 145 million users compromised
- Method: stolen corporate employee credentials
- Heartland Payment Systems
- Date: Mar. 2008
- Impact: 134 million credit cards exposed
- Method: SQL injection to install spyware on Heartland’s data systems
- Target Stores
- Date: Dec. 2013
- Impact: credit/debit card information and/or contact information of up to 110 million people compromised
- Method: hackers had gained access through a third-party HVAC vendor to its point-of-sale (POS) payment card readers
- TJX Companies, Inc
- Date: Dec. 2006
- Impact: 94 million credit cards exposed
- Method: weak data encryption or in-store job application kiosks exploited
- JP Morgan Chase
- Date: Jul. 2014
- Impact: 76 million households and seven million small businesses
- Method: hackers gained “root” privileges on more than 90 of the bank’s servers
- US Office of Personnel Management
- Date: 2012-14
- Impact: personal information of 22 million current and former federal employees.
- Method: hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until Mar. 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.
- Sony’s PlayStation Network
- Date: Apr. 20, 2011
- Impact: 77 million PlayStation Network accounts hacked, with estimated losses of $171 million while the site was down for a month
- Date: Feb. 2015
- Impact: theft of personal information on up to 78.8 million current and former customers
- Method: phishing attack
- RSA Security
- Date: Mar. 2011
- Impact: possibly 40 million employee records stolen
- Method: phishing attack
- Date: sometime in 2010, but origins date to 2005
- Impact: meant to attack Iran’s nuclear power program, but also served as a template for real-world intrusion and service disruption of power grids, water supplies, or public transportation systems
- Method: malware
- Date: throughout 2010
- Impact: undisclosed information stolen
- Method: undisclosed
- Home Depot
- Date: Sept. 2014
- Impact: theft of credit/debit card information of 56 million customers
- Method: POS systems targeted with malware
- Date: Oct. 2013
- Impact: 38 million user records
This is just the tip of the iceberg. The breaches outlined above are bad, but they have been surpassed in severity by one of the most recent breaches — the Equifax breach.
In September of 2017, Equifax reported a breach that affected 143 million U.S. consumers. While this breach was not the largest, it is one of the most severe attacks due to the depth of personal information compromised. As reported in Ars Technica, “By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be.”
How does a breach of this size happen? To understand the situation, we start by understanding the attackers.
Resource: Major Cyberattacks in Recent History
- Cyber Attacks on U.S. Companies in 2016: List of major cyberattacks reported in 2016 complete with impact and cause. (2014 List, 2015 List)
- World’s Biggest Data Breaches: A regularly updated visualization of the world’s biggest data breaches and descriptions for most. Can be sorted by organization type and method of leak.
Understanding the Attacker
Who are they?
Attacks can come from two distinct groups: insiders or outsiders. The chart below illustrates this dichotomy.
“Q&A. What Motivates Cyber-Attackers?” Chen Han and Rituja Dongre, Oct. 2014
Despite the commonly held image of external hacker teams in hoodies, research suggests that the majority of attacks originate from the “insiders” group.
“Most Cyber Attacks Are An Inside Job.” Martin Armstrong, Jun. 2016
Within the insiders’ category, there are three basic groups:
“i) disgruntled employees, who may launch retaliatory attacks or threaten the safety of internal systems
ii) financially motivated insiders, who may misuse company assets or manipulate the system for personal gain (although some insiders may be acting on ethical grounds or for other reasons);
iii) unintentional insiders, who may unwittingly facilitate outside attacks, but are not strictly speaking primary attackers.”
“Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners.” Jason Andress and Steve Winterfeld, 2011
However, this representation doesn’t provide the whole picture. A closer look shows a huge variance of attack origin based on industry sectors.
IBM X-Force Threat Intelligence Index 2017,” IBM, 2017
Attacks can truly come from anywhere. Any misguided assumption of threat origin, whether internal or external, impedes an organization’s ability to prepare for an attack. For more insights on threat origins from cybersecurity experts, explore the following resource:
Resource: Expert Perspectives on Threat Origin
- Insider vs. Outsider Data Security Threats: What’s the Greater Risk?: 47 data security experts compare the risks of insider threats vs. outsider threats via Digital Guardian.
What are their motivations?
“The single greatest motivator for cyberattacks in today’s world is, arguably, profit.” – Know Your Enemy: Understanding the Motivation Behind Cyberattacks Lyndon Sutherland, Mar. 2016
In the U.S., there has been a lot of recent news about purported espionage and foreign meddling in our elections. These stories make it easy to overlook the fact that the majority of attacks are cybercrimes for the sake of profit.
“2016 Cyber Attacks Statistics.” Paolo Passeri, Jan. 2017
However, deeper motivations may be more nuanced. Despite being focused on monetary gain attacks aren’t always orchestrated and premeditated. Many attacks are not some sort
of powerhouse attack but rather an attacker exploiting a simple vulnerability. As described in an IBM Information Security report:
“Many intrusion attempts are executed by attackers who are operating opportunistically, to exploit “doors left unlocked.” These are still remarkably common and they can make life easy for criminals: they include basic security lapses caused by lack of discipline and poor adherence to process controls, as well as system misconfigurations that can remain unrecognized and uncorrected for an extended time” – The challenge of digital security, IBM Information Security, Jul. 2014
Resource: Motivations Underlying Cybercriminal Attacks
- In order to understand the full spectrum of attacks and vulnerabilities, these motivations are useful to explore. In “Know Your Cyber Enemy” IBM provides a detailed look at common cybercriminal motivations (profit, politics or social justice, patriotic or ideological motives, sabotage, extortion, ego or vanity, revenge.) This is a great resource to reference when performing an audit of your security capabilities.
“95 percent of breached records came from three industries in 2016: Government, retail, and technology.” – Forrester: What can we learn from a disastrous year of hacks and breaches?, Brandon Vigliarolo, Jan. 2017
Given the common cybersecurity motivations (profit combined with opportunity), the most affected industries are not surprising. According to the United Midwest Security Alliance, the following industries provide both opportunities for cyberattacks in addition to financial incentives:
- “Financial institutions
- Financial institutions and banks are particularly vulnerable to cyber attacks and data breaches because hackers can gain access to credit card information, bank account information, etc., and this can result in money takeovers.
- In general, hospitals are some of the most vulnerable intuitions because of general lack of necessary funding. Additionally, medical facilities can be seen by attackers as cyber goldmines with a hodgepodge of outdated systems and understaffed employees with little cyber training. Additionally, if attacked, hospitals generally have more of an incentive to quickly pay cybercriminals so they can get back to the data held hostage by ransomware. Especially, when dealing with people’s lives and their medical data.
- Schools and universities
- What makes academic institutions vulnerable is their lack of general cybersecurity measures. One study by Tifoil Security tested the networks of 557 state universities with a cross-site scripting (XSS) attack. The results found that a whopping 25% of universities were vulnerable. Also, schools tend to keep most of their information publicly available, specifically about the people they employ, with online access to email addresses and this makes schools prime targets for phishing schemes.
- Retailers collecting and protecting data through a variety of sources, from point of sale machines to tap to pay terminals, can prove to be quite challenging. The massive amount of data to protect across multiple endpoints is no easy task. Additionally, card data collected at the time of purchase is often fed into vulnerable analytic systems used by marketers to track customer buying habits.”
Source: Mission & Vision, United Midwest Security Alliance, Mar. 2017
These industries share a few key characteristics: they house high-value customer data, they have many different consumer touchpoints, they have complex and interweaving offerings, and they often allocate budgets to key value-creating activities.
To further understand targeted industries, refer to the IBM X-Force Threat Intelligence Index 2017: an in-depth look into five industries (financial services, information and communications, manufacturing, retail, and healthcare) that reveal major trends and vulnerabilities. These industries are all vulnerable to SQLi and OS CMDi attacks, which is a huge opportunity for cybercriminals.
Common Types of Cyberattacks
Cyberattacks come in many shapes and sizes. Despite the ever-evolving variants of attacks, the methods can generally be distilled down to nine different mechanisms. According to the MITRE Corporation’s “Common Attack Pattern Enumeration and Classification” (sponsored by the U.S. Department of Homeland Security), the nine general mechanisms are:
- Collect and analyze information: Attack patterns within this category focus on the gathering, collection, and theft of information by an adversary. These are often used in preparation for another type of attack.
- Inject unexpected items: Attack patterns within this category focus on the ability to control or disrupt the behavior of a target, either through crafted data submitted via an interface for data input or the installation and execution of malicious code on the target system.
- Engage in deceptive interactions: Attack patterns within this category focus on malicious interactions with a target in an attempt to deceive and convince the target that it is interacting with some other principal – and then to drive actions based on the level of trust that exists between the target and the other principal.
- Manipulate timing and state: An attacker exploits weakness in timing or state, maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes.
- Abuse existing functionality: An adversary uses or manipulates one or more functions of an application in order to achieve a malicious objective – one not originally intended by the application – or to deplete a resource to the point that the target’s functionality is affected.
- Employ probabilistic techniques: An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold.
- Subvert access control: An attacker actively targets exploitation of weaknesses, limitations, and assumptions in the mechanisms a target utilizes to manage identity and authentication, as well as manage access to its resources or authorize functionality.
- Manipulate data structures: Attack patterns in this category manipulate and exploit characteristics of system data structures in order to violate the intended usage and protections of these structures.
- Manipulate system resources: Attack patterns within this category focus on the adversary’s ability to manipulate one or more resources in order to achieve a desired outcome.
Source: CAPEC CATEGORY: Collect and Analyze Information, CAPEC Content Team, Jan. 2017
The following resources provide more examples of different types of attacks.
Resources: Overviews of Common Attacks
- IBM X-Force Threat Intelligence Index 2017: The 2017 IBM X-Force Threat Intelligence Index chronicles 2016 data breaches, attack vectors, targeted industries, and perpetrators.
- Nopsec – The Top Cyber Security Threats of 2017: This report outlines five of the biggest cyberthreats that NopSec expects to see in 2017: nation-state cyberattacks; ransomware, DDoS attacks, the Internet of Things, social engineering, and human error.
- Common Threats to be Aware of: The Government of Canada’s overview of common security threats relevant to individual users and firms.
- Microsoft – Common Types of Network Attacks: Brief overview of the most common type of network attacks.
- Open Web Application Security Project – Top 10 Mobile Risks
- Open Web Application Security Project – Top 10 Web Risks
Attacks tend to come in bursts; they also follow trends. The figure from the IBM X-Force Threat Intelligence Index 2017, below, illustrates the more common types of attacks and their frequencies. Note the burst of misconfiguration exploitations in mid-2015 — every disclosed attack can act as a canary in a coal mine and firms should prepare accordingly.
The attacks described above (misconfiguration, SQLi) can be confusing and hard to follow. Their solutions can be even more wordy. The following resources can help you navigate the dense jargon surrounding cybersecurity.
Resources: Understanding Cybersecurity Jargon
- The Motherboard e-Glossary of Cyber Terms and Hacking Lingo
- National Initiative for Cybersecurity Careers and Studies Glossary: The NICCS glossary contains key cybersecurity terms that enable clear communication and a common understanding of cybersecurity definitions.
- From Antivirus to Zero-Day Attack: A Cybersecurity Glossary outlines 35 of the top cybersecurity terms of which you should be aware.
- Hacker Lexicon: WIRED’s explainer series seeks to demystify the jargon of information security, surveillance, and privacy.
“No company’s cyberdefenses, no matter how well constructed and maintained, are 100% impenetrable” – Building a Cyberresilient Organization, Stefan Deutscher, Walter Bohmayr and Alex Asen, Jan. 2017
The first step in combating cyberattacks is awareness. The next sections will illuminate vulnerable areas in your firm’s security and your personal security. Please note: these are only examples used to create a mindset of awareness that can be applied to your specific circumstances.
Domains of Attack
As illustrated above, the majority of cybercriminals are opportunistic and attack where corporations are vulnerable. These vulnerabilities don’t exist solely in the digital world – there are vulnerabilities in the physical world, as well. Looking at the CAPEC framework referenced earlier, there are six “domains” in which attacks take place:
- Social engineering: Attack patterns within this category focus on the manipulation and exploitation of people.
- Supply chain: Attack patterns within this category focus on the disruption of the supply chain lifecycle by manipulating computer system hardware, software or services for the purpose of espionage, theft of critical data or technology, or the disruption of mission-critical operations or infrastructure.
- Communications: Attack patterns within this category focus on the exploitation of communications and related protocols.
- Software: Attack patterns within this category focus on the exploitation of software applications. The techniques defined by each pattern are used to exploit weaknesses in the application’s design or implementation in an attempt to achieve a desired negative technical impact.
- Physical security: Attack patterns within this category focus on physical security. The techniques defined by each pattern are used to exploit weaknesses in the physical security of a system in an attempt to achieve a desired negative technical impact.
- Hardware: Attack patterns within this category focus on the exploitation of the physical hardware used in computing systems.
Source: CAPEC VIEW: Domains of Attack, CAPEC Content Team, Jun. 2014
If any “domain” within a corporation is unsecure, it will likely become a target for a cyberattack. Many companies take the approach of throwing technology at their vulnerabilities, but the truth is that only 28 percent of critical breaches are due to inadequate technology — 72 percent of critical breaches are due to organizational, process, and people failures (which will be addressed in the next piece, “Prevention”).
Source: “Building a Cyberresilient Organization.” Stefan Deutscher, Walter Bohmayr and Alex Asen, Jan. 2017
As companies integrate new technologies and increase consumer choice, infrastructure will become inherently more complex. A more complex system provides a host of opportunities for cybercriminals to exploit.
“To give a sense for the range of access points a retailer must identify and secure, at a minimum these will likely include:
- Point-of-sale (POS) terminals in stores
- Mobile POS access points
- Customer-facing e-commerce websites
- Links with each third-party vendor, supply-chain vendor, ecosystem partner and contractor
- Employee-facing access points — including those that may utilize employee-owned mobile devices — and the social workplace
- Links to connected data centers via the cloud
- Links to financial institutions and payment processors
- Links to managed service providers
- Links to delivery services
- Links to all other contractors who are provided with network access
- B2B, intranet and extranet portals
- In-store wireless routers, kiosks and networks
- The expanding “Internet of Things”: IP-based printers, IP-linked surveillance cameras and similar devices”
Source: The challenge of digital security, IBM Sales and Distribution, Jul. 2014
These vulnerabilities affect retailers disproportionately. Take Target, for example. The company recently settled the case regarding their 2014 data breach. The investigation, which ended with a $18.5 million Target settlement (in addition to around $200 million in legal fees), concluded that “attackers had stolen credentials from a third-party vendor that they used to access a customer database.” This wasn’t from a point-of-sale system breach or from malware.
The breadth of vulnerabilities a retailer has to keep track of is intimidating, and the exposure to risk will only increase:
“The retail industry’s inherent exposure to security risk is increasing steadily, for many reasons. Most obvious is the vastly increased pervasiveness of network connectivity, as more and more sensitive information is held on networked and distributed systems that are accessible to a widening array of entry points.
“The broad adoption of mobile applications by retailers adds many other new points of vulnerability. Enterprise applications and data must, in some cases, be made accessible to employee-owned mobile devices.
“Then add today’s complex supply chains, where more access and data is given to vendors and external partners, and where global expansion may require retailers to expand distribution of their own information around the world.”
Source: “The challenge of digital security.” IBM Sales and Distribution, Jul. 2014
We will outline possible solutions to system complexity in the section: “prevention.”
Internet of Things
The internet of things is one of the most exciting modern innovations. However, the sheer number of connected devices leads to many problems when it comes to cybersecurity.
A sample of connected device predictions:
- 2010, IBM: “A world of 1 trillion connected devices” by 2015.
- 2011, Ericsson’s CEO Hans Vestberg: “50 billion connected devices” by 2020.
- 2013, Cisco: “50 billion things will be connected to the internet by 2020.”
- 2013, ABI Research report: “30 billion” by 2020.
- 2013, Morgan Stanley report: “75 billion devices connected to the IoT” by 2020.
- 2014, an Intel infographic: “31 billion devices connected to internet” by 2020.
- 2014, ABI Research updated report: “41 billion active wireless connected devices” by 2020.
- 2015, Gartner Research: “4.9 billion connected things in use in 2015 … and will reach 20.8 billion by 2020.”
Source: Reality Check: 50B IoT devices connected by 2020 – beyond the hype and into reality, Syed Zaeem Hosain, Jun. 2016
Regardless of the prediction used, the message is clear: the already substantial number of connected devices is continuing to rise. Each additional device represents a potential vulnerability, and with each additional device, the impact of an attack is increased due to network effects.
“70 Percent of Internet of Things Devices Vulnerable to Attack. IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries.”
But vulnerabilities extend far beyond the sheer number of these devices. Each connected device has its own operating system. Unlike personal devices, updates and patches on these connected devices aren’t nearly as visible. The result: “hundreds of millions of devices that have been sitting on the Internet, unpatched and insecure, for the last five to ten years.” (“The internet of things is wildly insecure — and often unpatchable.” Bruce Schneier, Jan. 2014)
For now, it may seem like unpatched devices are not a priority, but let’s be clear – more activities are moving to connected devices every day. Voice commerce is expected to be a $40 billion market by 2022. As IoT encroaches on sensitive data, peripheral connected home devices need to be secured.
Complex software design and organizational process frameworks have been created to deal with this problem. The complexity and technicality of these approaches can be alienating to some; nevertheless, here are some resources with which to start.
Resources: Standard Frameworks
- NIST Cybersecurity Framework
- ISO 27001/27002
- RFC 2196
- Information Security Forum Standard of Good Practice
- Common Criteria for Information Technology Security Evaluation
- GRC Red Book
While technically sound and thorough, these frameworks only speak to a small group within a corporation. As previously mentioned, cybersecurity is largely a people issue.
“When you’re in the boardroom, maybe the most important question you’d be asking is: Have you trained your employees on how to address the most common cyber threats?” – a16z Podcast: Cybersecurity in the Boardroom vs. the Situation Room.” David Damato, Herb Lin, Matt Spence and Sonal Chokshi, Jun. 2017
People are what make companies great — and cybersecurity is no different. According to a survey by Netwrix, “100% of government IT workers said employees are biggest threat to cybersecurity.” So how can this vulnerability be addressed? Basic training to address a lack of general cybersecurity knowledge.
Source: What the Public Knows About Cybersecurity, Kenneth Olmstead and Aaron Smith, Mar. 2017
If that isn’t enough of a scare, check out highlights from the 2017 Dell End-User Security Survey:
- “Three in four employees say they would share sensitive, confidential or regulated company information under certain circumstances for a wide range of reasons including:
- Being directed to do so by management (43 percent)
- Sharing with a person authorized to receive it (37 percent)
- Determining that the risk to their company is very low and the potential benefit of sharing information is high (23 percent)
- Feeling it will help them do their job more effectively (22 percent)
- Feeling it will help the recipient do their job more effectively (13 percent)
- Four in five employees in financial services (81 percent) would share confidential information, and employees in education (75 percent), healthcare (68 percent) and federal government (68 percent) are also open to disclosing confidential or regulated data at alarmingly high rates.”
- “Forty-five percent of employees admit to engaging in unsafe behaviors throughout the work day
- These behaviors include connecting to public Wi-Fi to access confidential information (46 percent), using personal email accounts for work (49 percent), or losing a company-issued device (17 percent)
- One in three employees (35 percent) say it is common to take corporate information with them when leaving a company
- Employees take on unnecessary risk when storing and sharing their work, with 56 percent using public cloud services such as Dropbox, Google Drive, iCloud and others to share or backup their work
- Forty-five percent of employees will use email to share confidential files with third-party vendors or consultants”
- “Nearly two in three employees (65 percent) feel it is their responsibility to protect confidential information, including educating themselves on possible risks and behaving in a way that protects their company
- Thirty-six percent of employees feel very confident in their knowledge of how to protect sensitive company information
- Twenty-one percent feel it is difficult to keep up with changing security guidelines and policies, and 22 percent say they are worried that someday they will do something by mistake and cause damage to their company
- Nearly two in three (63 percent) employees are required to complete cybersecurity training on protecting sensitive data. However, of those who received cybersecurity training, 18 percent still conducted unsafe behavior without realizing what they were doing was wrong, whereas 24 percent conducted unsafe behavior anyway in order to complete a task”
Cybersecurity awareness should be a priority for the modern corporation. However, corporations can’t just throw an educational course at their employees and consider it done. A culture of security must be created from the top down.
“Cybersecurity education needs to be an integral part of the workplace culture. It must be built around a practical, ongoing dialog in which employees are empowered and incentivized to speak up when they’re unsure about the implications of a decision. Cybersecurity education doesn’t mean hosting a one-time course or seminar; it means making security a collaborative, continuous cultural initiative.” – Dell End-User Security Survey Highlights Unsafe Data Security Practices in the Workplace, Dell, Apr. 2017
Characteristics of Effective Cybersecurity Training
“Most people look at the cyber training video like they do the airline safety video when you board your flight. And you’re like ‘Well I fly 1000 miles a year – I know there’s an airbag, I know about the window seat’ and you just ignore it.” – a16z Podcast: Cybersecurity in the Boardroom vs. the Situation Room, David Damato, Herb Lin, Matt Spence and Sonal Chokshi, Jun. 2017
As with any corporate training program, one of the hardest problems revolves around getting employees to care.
“An annual 90-minute refresher video is unlikely to be the most effective way to reiterate the importance of data protection. Might it be more effective to call in the experts and target phishing attacks on individuals or whole departments? Shock tactics quickly demonstrate to employees that cybercrime happens quickly and without warning. And that’s surely a more effective training tool than another video.” – Cybersecurity. Who’s actually responsible?, NTT Security, 2016
The quote above highlights one unique aspect of cybersecurity training — the shock value also has an impact on practices and behaviors in the personal lives of employees. Hearing about the multitude of vulnerabilities can ignite change in the employee’s own cyberhygiene which is beneficial for all parties. But how does one design a cybersecurity training program?
We’ve collected existing models to help jumpstart this process.
Resources: Cybersecurity Training Guidelines and Frameworks
- Designing and Developing an Effective Security Awareness and Training Program:
- The Components of Top Security Awareness Programs:
- Game of Threats: An example of gamification of cybersecurity education.
- Creating a Culture of Awareness:
- National Initiative for Cybersecurity Education Cybersecurity Workforce Framework:
For smaller firms without the budget or time for custom training offerings, there are a few free open-source options that provide basic cybersecurity training.
Resources: Free, Open Source Cybersecurity Training Programs
- SANS Cyber Aces Online Courses: SANS Cyber Aces Online makes available free online courses from the professional development curriculum offered by The SANS Institute, the global leader in cybersecurity training.
- Cybrary.it: Open-source option for cybersecurity learning. Free for everyone, forever.
- Open Security Training – External Resources: Slightly out of date but a great repository of open-source classes.
“Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021.
Cybercrime will more than triple the number of job openings over the next 5 years.” – Our Team, Steve Morgan
There is a severe shortage of cybersecurity talent. The reason is clear: the severity and publicity of recent attacks are driving corporations to scramble for new talent to support their security efforts.
Resource: Addressing the Talent Shortage
Suggestions from article:
- “Re-examine your workforce strategy: Do you know what skills you need today and tomorrow to run a successful security program? Realize that skills and experience can come from a variety of places, and adjust your hiring efforts accordingly.
- Improve your engagement and outreach: Don’t limit yourself to the same old career fairs and recruiting programs of yesteryear. Get involved in community colleges, P-TECH schools, and other educational programs to start building your recruiting base.
- Build a local cybersecurity ecosystem: Connect with government organizations, educational institutions, and other groups. Sponsor Capture the Flag security events, and work with local middle and high schools to generate interest in the field. These groups are always looking for willing experts and mentors.
- Have a robust support program for new hires: Mentorships, rotational assignments, shadowing, and other opportunities help new cybersecurity hires gain experience and learn. Remember, not everyone knows what they want to do right away. Keep new hires engaged by giving them the creative freedom to work on different projects and explore new technologies and services.
- Focus on continuous learning and upskilling: To retain your new talent, keep employees current on the latest skill sets through classes, certifications, and conferences. Cybersecurity is a highly dynamic field, requiring ongoing education and exploration. And be open to employees from other areas of your business who express interest in cybersecurity career paths. Remember that AI provides employees with more intelligence and contextual recommendations at a speed and scale previously unimagined, so upskilling your workforce is a completely different ballgame these days.”
In addition, outside of specific cybersecurity talent, firms should look for hires that are digitally literate. For more on the hiring process, read our article “Hiring for Innovation.”
“We continue to focus on [cyber security] things that are sexy, right? It’s things like hygiene that are the issue. Basic solutions are things like better security for IoT devices, network segmentation, preventing things from being accessible from the internet — these are not complex topics…. You get into these board rooms and these topics are overly complex… Board members are very high-level they’re simply interested in what’s happening in the news [Russia, China]… To be honest with you, that something that’s not typically helpful. That’s a distraction from the real conversation.” – a16z Podcast: Cybersecurity in the Boardroom vs. the Situation Room, David Damato, Herb Lin, Matt Spence and Sonal Chokshi, Jun. 2017
The importance of simple cybersecurity hygiene cannot be emphasized enough. These tasks aren’t groundbreaking nor are they complex. These basic steps are so often overlooked and underestimated that it has become a national policy issue. Bills have been introduced in both the House and the Senate in order to “provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology.”
- Multi-factor authentication
- Data loss prevention
- Data encryption
- Cloud services
- Software patching and maintenance;
- Phishing education; and
- Other standard cybersecurity measures to achieve trusted security in the infrastructure.
Source: S.1475 – Promoting Good Cyber Hygiene Act of 2017, U.S. Congress, Jun. 2017
Resources: Frameworks for Cyber Hygiene
- Technology Checklists for Businesses: National Cyber Security Alliance’s basic checklist for businesses, along with cyber hygiene best practices.
- Cyber Hygiene: 11 Essential Practices: 11 practices from Carnegie Mellon’s Software Engineering Institute.
Beyond a culture of security and proper training, firms need to have a security system. Every technology solution has a place and implementation should be tailored to firm structure, industry, product type, etc. We won’t be making any technology recommendations in the section; we instead aim to increase awareness of the tools available.
Classifications of external security solutions:
- Advanced persistent threat detection/prevention
- Content security appliances (web and email filtering, and anti-spam)
- Data loss prevention
- Digital forensics
- Encryption/credit card tokenization
- Governance risk and compliance products
- Identity management and access management (IDAM)
- Log/security event monitoring (SIEM)
- Managed security services (MSSP)
- Network access control (NAC)
- Secure code development
- Vulnerability management/assessment
See Lawrence Pingree’s “Security Vendor Shortlist” for further classification as well as vendors within each segment.
Resource: Understand the Range of Technology Offerings
Mindmap of Security Technologies and Markets: Lawrence Pingree has put together a visualization of information security technologies and markets. Click nodes to expand the web and spend some time absorbing how complex this segment is.
Pingree’s mind map puts the scope of technology into perspective. Many companies won’t be able to implement every single piece of technology into their security program. Companies need to do an analysis of their most valuable assets and compare the costs of securing those assets. The Gordon-Loeb model for cybersecurity is a great tool to use when determining cybersecurity budgets:
“Based on the model, it is shown that that the amount a firm spends to protect information should generally be only a small fraction of the expected loss resulting from an information security (cybersecurity) breach. More specifically, the model shows that it is generally uneconomical to invest in information security activities more than 37 percent (37%) of the expected loss that would occur from a security breach. The model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability.” – ACES Faculty Member Interviewed by ActiveCyber, Larry Gordon and Chris Daly, Mar. 2016
When calculating any cybersecurity investment, it’s important to understand vulnerable assets and their values. We’ve collected resources to aid in the risk assessment process.
Resources: Risk Assessment
- Infosec – Risk Management Concepts: Risk management concepts based on the Certified Information Systems Security Professional (CISSP) certification. Four main goals of risk analysis:
- Identify assets and their values.
- Identify vulnerabilities and threats.
- Quantify the probability and business impact of these potential threats.
- Provide an economic balance between the impact of the threat and the cost of the countermeasure.
- Skillset.com – Risk Assessment: Also based on the CISSP certification, Skillset.com offers a clear video explanation of the process.
- Smith Business School – Gordon-Loeb Model for Cybersecurity Investments: Larry Gordon explains the Gordon-Loeb model for cybersecurity investment in an easy to understand video. “The fundamental principle underlying the Gordon-Loeb model is that, when making cybersecurity investments, the benefits should outweigh the costs.”
- Lawrence A. Gordon, Martin P. Loeb, Lei Zhou – Investing in Cybersecurity: Insights from the Gordon-Loeb Model (Advanced): In depth analysis of the Gordon-Loeb model directly from its creators.
Security by Design
The solutions outlined above mostly deal with security tools that act as infrastructure. On the other side of the coin, product managers and software engineers must build security into their systems. After all, the most secure systems are those with security in mind from the start.
The basic principles of security by design originate from the Jerome H. Saltzer and Michael D. Schroeder’s 1975 work, “The Protection of Information in Computer Systems.”
- Economy of mechanism: Keep the design as simple and small as possible.
- Fail-safe defaults: Base access decisions on permission rather than exclusion.
- Complete mediation: Every access to every object must be checked for authority.
- Open design: The design should not be secret.
- Separation of privilege: It’s safer if it takes two parties to agree to launch a missile than it is if just one can do it.
- Least privilege: Operation with the minimal set of powers needed to get the job done.
- Least-common mechanism: Minimize subsystems shared between or relied upon by mutually distrusting users.
- Psychological acceptability: Design systems for ease of use.
These guidelines benefit greatly from context. We’ve collected resources for those wanting to explore these principles directly from the experts.
Resource: Revisiting Saltzer and Schroeder
- Design Principles for Security-conscious systems: Berkeley Professor David Wagner provides a more modern look into these eight principles, complete with case studies and critiques.
Further Reading: Security by Design Principles and Guidelines
- Open Web Application Security Project: Security by Design
- Open Web Application Security Project: Software Assurance Maturity Model: A guide to building security into software development.
Any current security breach provides insight into what you should and shouldn’t do after an attack.
Search Twitter for “Equifax” if you want to see an example of one type of security response. From a PR standpoint, this is a total nightmare. If you’d like to read more about responding to crises from a PR perspective, read “Crisis Management: Best-Practice for PR Response.” From a technical standpoint, this is a surgical operation.
“In addition to spending money to prevent attacks, companies must have the mindset that breaches are inevitable.” – Companies ‘must see cyber attacks as inevitable’, Hayley Richardson, Feb. 2015
The reality of cybersecurity is that no matter how protected a company is, a breach is likely to occur at one point or another. And after a breach, a company needs to focus on minimizing damage.
“While many intrusion attempts will be defeated, the prudent approach is to assume that barrier walls can never be high enough. The questions then become, ‘How quickly can we identify and counter each successful entry?’ and ‘Will we be able spot intruders immediately, before harm is done, or only much later, after a disastrous disruption or loss of data?’” – The challenge of digital security, IBM Sales and Distribution, Jul. 2014
Damage control favors modularity. Returning to the Target example, attackers were able access consumer data via a third-party vendor. Retailers like Target, as we’ve previously discussed, have a seemingly endless number of touchpoints an attacker could use. Each of these points should have its own moat — separating it from the valuable and sensitive consumer data. Companies using this approach will be able to quarantine breeches to fringe touchpoints, greatly reducing damage.
But how does a company detect these attacks in the first place?
Serious financial damage has been caused by security breaches, but because there is no standard model for estimating the cost of an incident, the only data available is that which is made public by the organizations involved.
Several computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks, and to hostile digital acts in general. Reasonable estimates of the financial cost of security breaches can actually help organizations make rational investment decisions.
Access point and data-specific safeguards notwithstanding, companies should expect that intruders will breech their system. For that reason, analytics must be in place to watch for patterns that could indicate an intruder in the system and to issue alerts so counter-actions can be taken quickly.
According to Larry Ponemon, founder of the Ponemon Institute, “Organizations recognize that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. Over the years, detection and escalation costs in our research have increased. This suggests investments are being made in technologies and in-house expertise to reduce the time to detect and contain a threat.”
The following resources introduce methods to detect attacks early:
- Detecting and Mitigating Cyber Threats and Attacks: This course from the University of Colorado looks at detection and mitigation of threats and attack vectors and discusses how to use tools and principles to protect information.
- Active Breach Detection: The Next-Generation Security Technology?: This SANS Institute whitepaper introduces “active breach detection,” a tool that can be used to improve the response time when faced with a breach.
- Key Indicators of Compromise: This whitepaper investigates different indicators of data breaches and determines that corporate logons are the most important indicator of a breach. (Note: IS Decisions is a security software vendor)
Measuring Damage from Attacks
Measuring damage from cyberattacks is difficult. There is no standard for assessing damage and some affected assets are ephemeral (brand reputation).
A brief look at damage assessments from the retailer perspective:
- “According to a recent IBM research, data breaches significantly impact consumer confidence. In the case of one major breach, for example, the company saw a 46 percent drop in profit the quarter after the breach occurred.”
- “The financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident”
Source: Cyber Security Challenges: How Do Retailers Protect the Bottom Line?, Douglas Bonderud, Jul. 2014
Assessing damage is important for many reasons beyond bookkeeping. Damage assessments help firms plan their cybersecurity investments. Reasonable estimates of the financial cost of security breaches can help organizations make rational investment decisions.
Resources Measuring the Impact of Data Breaches
- Deloitte – Beneath the surface of a cyberattack: a deeper look at business impacts: A 14-point framework to measure the impact of a cyberattack.
- IBM Data Breach Cost Calculator: An estimation tool based on Ponemon’s annual “Cost of a Data Breach” survey.
Wrapping things up:
We get to be front and center during an exciting and fast-paced time for technology. The more choices we have as consumers, the more vulnerable our data becomes. We can help protect each other’s data by committing to improving our cybersecurity practices — in the context of both our personal and professional lives.
We’ll get there by improving communication around cyber security. If this guide helped you, please share it. If you’ve experienced a breach, please report it.
We’ll leave you with some of the best resources on reporting cyberattacks.
Resources: Information Sharing Hubs
- Arbor Networks Google Attack Map
West Stringfellow spent over 20 years launching products and leading innovation at corporate giants and startups, holding management roles at Target, PayPal, VISA, Rosetta Stone, GraysOnline and Amazon.
Bring this experience into your company.Contact West →