The ever-evolving world of cyber security
By Edwin Yapp May 19, 2017
- The cyber security challenge today isn’t merely about tools and technology
- 2016 was the year of ransomware and things are only going to get worse in the coming years
SECURITY, the saying goes, is only as strong as its weakest link. But as cliché as this may sound, this is perhaps the challenge confronting most, if not all, enterprises today. For years now, enterprise security has been treated as somewhat of a ‘necessary evil,’ a must do because business demands it. The direct impact of this is that security becomes an afterthought, relegated to a ‘nice-to-have’ position.
More damning is the fact that many enterprises’ security needs are not holistically designed and well planned for. When companies need to protect sales workforce laptops, they look at end-point solutions to do so. When this same workforce goes mobile, companies will need to add on mobile device management software to manage mobile security.
Each of these devices also needs to have secure authentication and thus, different identity management solutions come into play. And to ensure that no one can break into corporate databases, companies will also need to deploy firewalls, intrusion protection systems (IPS) and other associated technologies.
The world however has changed. The cyber security challenge today isn’t merely about tools and technology but about people, processes and the need to approach the entire issue holistically throughout the whole organisation.
Cyber security is about ensuring not only that technology works but that people and processes are aligned with an organisation’s overall security strategy, and that everyone that has to do with that organisation knows how to respond to threats and breaches, according to a panel of experts.
Speaking at the Dimension Data Technology Summit, Neville Burdan, general manager for security, Dimension Data Asia Pacific, said that while security breaches are to be expected in the modern enterprise today, companies still need to be proactive on how to manage the risks, operational issues and potential fallouts as a result of those breaches.
“It’s important to make your company a student of the industry,” he said during a panel session on cyber security at the conference. “We need to bring security out, behind the dark room it’s in [where people don’t know what’s going on] into the mainstream and educate users.
Organised by Dimension Data Malaysia and held on April 12, 2017 in Kuala Lumpur, the Dimension Data Technology Summit was attended by over 150 IT professionals and key decision makers in the Malaysian enterprise world.
Moderated by Edwin Yapp, co-founder and contributing editor to technology portal Digital News Asia, the one-day conference was themed Digital Destruction, Do or Die, where various digital themes such as digitisation, cloud computing and the Internet of Things (IoT) and cyber security were explored in detail.
Concurring with Burdan was Michael Sladin, channel director for Symantec, who said that while spending on cyber security is increasing today, it remains a real challenge and threat to organisations.
Sladin said a lot of attack vectors today are pivoting from merely going after firewalls towards socially targeting users – through methods such as spear phishing – in order to hijack their credentials as a convenient way to get into their corporate environment.
“It’s still an issue and I believe it’s about alignment of business to risk and it’s about assessing your risk posture,” when asked what can be done to mitigate such risks.
“I think customers need to prioritise and understand their key information assets, where that lives, who should have access to these assets. It should be about how that data should be protected and where it gets protected, he explained. “So it’s a matter of spending in the right place, it’s a matter of applying principles in the right places.
Sladin said, for example, an organisation needs to identify what its most sensitive data is and should a user need to access this data, it would need to step up the authentication of that user to beyond using passwords, to say, a two-factor authentication process.
“So it’s based on the users and the sensitivity of the data and that’s where I say the focus needs to be,” he added.
When asked how this issue of holistic cyber security should be addressed in the wider context of cyber security for the masses, head of industry and business development for CyberSecurity Malaysia (CSM) Anwer Yusoff, said that it’s all about education.
Noting that even people who are technology savvy can be duped into clicking a malicious link, Anwer questioned what more can be expected of the grandmothers and grandfathers of the world – those who aren’t savvy at all?
“Like once upon a time in the kampungs (villages) when there was no running water and easily accessible toilets, we had to educate people about hygiene,” he shared. “It’s the same today. We need to educate your people on ‘cyber hygiene,’ so that the wider public knows what to do to in the event a malicious link is sent to them.
Conceding that it’s probably more of a social issue per se rather than just a technological one, Anwer said the issue of cyber security affects everyone, and thus everyone should be educated.
Trends such as spear phishing, where a specific key executive is targeted by being sent a seemingly trusted link that is designed to release a malicious malware when clicked, has been a worldwide phenomenon for some time now.
But these kinds of attack vectors however have worsened over the last few years due to the alarming emergence of ransomware, noted security specialist CheckPoint Software Technologies.
According to its head of threat prevention for Asia, Bruce Chai, ransomware – where a malicious software is activated after being a target of phishing and where the software code effectively holds a user's device or server hostage until a ‘ransom’ fee is paid – is a growing threat that will not abate any time soon.
“2016 was the year of ransomware and things are only going to get worse in the coming years,” he said.
Chai said that in today’s world, it’s fairly common that people routinely and frequently get emails from all kinds of unknown people other than trusted sources.
“Try imagining this scenario: It’s end of the quarter and sales people need to meet their targets. Someone sends them a document that could possibly lead them to achieve their targets. What would they do? Would they not open this link?
“Or how about when human resources sends you a link to which you need to respond or suffer the fate of not getting your annual leave or bonus paid out? Would anyone not click the link? But how do you know if the link is safe to click?”
Chai said it’s not possible to manually verify every email one receives from unknown or even known sources and this is where technology must come into play. CheckPoint, he said, has solutions to specifically detect and sanitise the attachment before users open them.
“So you get a clean copy and you can be sure it’s safe to open and then you can decide later if you want to keep the original copy or not. This is proactive prevention versus the old technology of detection,” he declared.
Chai however acknowledged that technology per se isn’t the only answer. Concurring with CSM’s Anwer, there need to be company-wide educational programmes to help everyone in the company know how to respond to cyber security threats.
“Every time a threat happens, users must be primed to know how to respond,” Anwer stressed.
Dimension Data’s Burdan agreed and added, “We need a multi-denomination approach. We need the education and we need to make sure that as many entry points are plugged so that breaches can be minimised.
“You’ll also need to assess where there may be data leakages, look at employing data protection, encryption, infrastructure firewalls. You should be questioning yourself: Can I mitigate through policy and can I train my people to know how to respond, or do I need to put technology to act on it.”
Governance, risks, compliance
Another major issue the panel discussed was cloud security and how it interacts with governance, risks and compliance (GRC). As the world moves more into the cloud, are there best practices by which they could follow?
Symantec’s Sladin said the first step in cloud security is understanding the current state of cloud usage today.
“Who’s using what, what’s being deployed, how strong is the encryption tech of the technology you’re using. These are some key questions,” he said.
Secondly, Sladin said users need to understand what their data value is to them, the relevancy of the information they have and getting a view of what users are doing with that information. After that, organisations need to wrap the right security posture and processes around that information, he added.
As far as the government perspective is concerned, CSM’s Anwer said the main issue is around security and where the data resides when going to the cloud, as there is a need to comply with standards such as the Personal Data Protection Act (PDPA).
“You also have to assess to see if your cloud provider has financial viability as CSM had to rush in to our previous cloud provider and take out our servers as they were closing down without us knowing. It’s important to not just look at the technology portion but also the business portion.”
Burdan added that with regard to GRC when implementing cloud, organisations need to apply the same rules as they do when running their own data centres.
“Whether your data is sitting in your own data centre or the cloud, issues – such as what you are auditing, your compliance needs, your data residency rules – are all the same.
“Cloud just introduces another option for you to assess. GRC shouldn’t change for a company whether you’re using cloud or not,” he said.
Chai of CheckPoint said GRC is quite specific to what kind of industry one is in. “So depending on this, you’ll need to consider your options available whether you want to go hybrid or into the public cloud.
At the end of the day, the panelists all agreed that there isn’t one size that fits all as to what works for cyber security.
CSM’s Anwer said despite the risks, organisations, especially smaller ones, should not miss out on what technology has to offer.
“Teach them, get them to be aware, what policies you have in your organisation. Technologies will change, malware will evolve, but people are basically the same. So just manage your people well,” he advises.
Symantec’s Sladin said that the users’ main priority is to do their jobs well and not be bothered about cyber security.
“So understanding your users, your information and planning for possible breaches is the way to go,” he said.
“Prevention is better than cure but tech can only go so far,” said CheckPoint’s Chai. “Education is a very important part of the equation and technology comes in to address the weakest links.
Dimension Data’s Burdan concluded, “We need to take a holistic view of users, look at everything from infrastructural, endpoint and operational points of view and take a hard look at how you can be proactive. “Don’t have a fatalistic view of the world as you’ll need to get out there and become the hunter rather than be hunted.”