Security By Design Shouldn’t be Like Groundhogs Day

With the increasing exploits and attacks of the past year it’s shown us that security needs to be treated as commodity in an organization. Just as there’s coffee in the break room there should be security in your processes. The culture of security needs to be built into the design process itself and today it’s just as important as both marketing and sales. We’ve seen major breaches occur this year which have destroyed organizations reputations, revenue streams and careers. An example of this would be Equifax loosing close to 4 billion dollars in market value after their breach. From this incident Equifax lost billions of dollars and even more worrying, 143 million people lost their privacy. We need to treat security as the glue between our businesses processes to not only keep them profitable, but to protect the sensitive data we’re working with and users that rely on us to protect it.

equifaxThe future of security sometimes feels like we’re living in the Bill Murray movie “Groundhog Day”. We wake up every day fighting the same thing and nothing really changes long term. There’s small changes to our day, but overall we’re still putting out the same fires. In Groundhog Day, Bill Murray wakes up every day doing the same thing and eventually has to break out of this maddening pattern. Bill Murray’s character describes his existence as, “It’s the same thing every day, Clean up your room, stand up straight, pick up your feet, take it like a man, be nice to your sister, don’t mix beer and wine ever, Oh yeah, don’t drive on the railroad tracks.” The future of our security programs shouldn’t be a dull existence where we expect to be dealing with the same issues every day without making significant progress. It should be one of constant progress building off the building blocks of your program.

groundhog dayIn my opinion the future of security starts with getting back to the basics. We need to take a step back and evaluate the threats of today and how they’re occurring. If we do this and start reviewing how the majority of the attacks are occurring we’ll notice the basics not being done efficiently. We’ll see that vulnerability and patch management is lacking to an extent where we’re literally giving attackers free shots at our systems. We’ll also notice a lack of security awareness that’s actually fun or interesting for users instead of having the same droning PowerPoint drag on about what you shouldn’t be doing. Or we’ll see that proper segmentation, logging of critical alerts, two-factor authentication and encryption of sessions and data is still not completely be done. We can’t move into the future of security without doing the fundamentals of the past. Before we start getting into the technologies and vendors that assist with detecting and preventing against attackers we need to instill fundamental concepts of security into our programs first. It’s like going to school and failing at calculus because you’ve never taken algebra. You’re going to have holes in your program if you don’t do the basics first and that’s a great example of why the New York State Department of Financial Services released their 23 NYCRR 500 regulation to establish a minimum level of security throughout their requirements.

With this being said, there are new technologies being developed which are allowing the ease of these fundamentals to be easier obtained. With the increase of artificial intelligence in security systems, yes, I know this is the buzz word of the industry now, we’re seeing the use of big data being used to assist with baselining behavior within our network. This allows us catch issues we might not have been able to detect in the past. The industry is saturated with vendors touting this now and I don’t think it’s going to stop anytime soon. I also personally feel it’s part of the future of the security industry, whether we like the buzz words or not. It’s a maturing area of technology and one I think we’ll see great growth in the future. Another area we need to focus on within security is being able to orchestrate and automate to increase our ability to defend against attackers. This means the ability for our systems to become aware of each other and how they integrate into each other’s process (via API’s). This is a design feature that when building an architecture or looking for new systems we should be aware of. Being able to alert, detect, prevent and recover from an incident in an automated fashion is something I think the industry will also be moving towards and one we should consider when building security into our organizations after we’ve completed the fundamentals.

Recently we’ve seen attackers take advantage of vulnerable systems with the NotPetya and Equifax incidents, but we’ve also seen the security community rise together and collaborate to defend against threats like Mirai and WireX from propagating further. We need to put security first to not only protect our revenues, but to protect our sensitive data. AK-12 school district had the names and addresses of all students released to the internet which not only puts these children’s privacy at risk, but could put them physically in harm’s way. It’s not always about money when these breaches occur, it’s about the privacy of the users being lost.

It’s our responsibility to protect this data and the future of cybersecurity isn’t in a “magic box” that’s going to fix all your issues. It’s bringing awareness, following the fundamentals and growing your program with advanced technology after the basics have been completed. We need to change our mindset now and build security in as part of our DNA and stop chasing silver bullets. Like Bill Murray said in Groundhog’s day, “I’m not going to live by their rules anymore” and we should follow his example by building in security today and stop the perpetual data breaches we see on a daily basis.

 


 

Matthew Pascucci

Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate, Security Blogger, and is the Cybersecurity Practice Manager at CCSI. He holds multiple information security certificates and has had the opportunity to write and speak about cybersecurity for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@ccsinet.com.

The post Security By Design Shouldn’t be Like Groundhogs Day appeared first on CCSI.

This is a Security Bloggers Network syndicated blog post authored by Matthew Pascucci. Read the original post at: CCSI