Can we manage digital security ourselves, or do we need outside help?

The upsurge in cyber security attacks (both in number and in sophistication) has
caused business leaders to question the adequacy of their in-house capabilities.
Given the nature of this threat, where an assailant will seek out gaps in your
defenses, your capabilities have to cover the entire spectrum of prevention,
detection and reaction. When I was in charge of digital security in a Fortune 100
company, I needed a team of 64 experts to cover the specialist skill areas and the
7×24 nature of the operation.
How many companies can afford the cost of employing 64 people to keep the bad
guys out? These experts are expensive, hard to find, harder to retain, and have to be
carefully vetted because they have privileged access to your family jewels. Maybe
a Fortune 100 company can justify that resource allocation if they operate in an
industry sector where information is key to their business, such as Banking, Energy
or Defense. But a mid-cap company or a small-cap company could never attract
such experts into their employment, even if they could afford the salary bill. The
consequence is that they employ generalists who struggle to keep up with the
rapid increase in sophistication of the attack techniques, and so they are not only

vulnerable to a compromise, but there is a high probability they will never discover
that a compromise has occurred.
So there has to be a better way. Your company could outsource the entire digital
security task to a major IT services company or a major accounting firm, but often
that is not an affordable solution. Or you could go with an inexpensive local shop
without the overhead burden, but probably without the in-depth skills or the
controls or the background screening. One solution to this dilemma is to copy the
technology concept of “server virtualization” and to use “expert team virtualization”,
whereby a third party provides you with a shared resource that changes according
to your immediate needs (say to conduct penetration testing, or to scale up rapidly
to tackle an attack). That approach has the added benefit of leveraging insights from
other client companies in your sector, which an in-house team may not know about.
Smaller companies are now engaging a “Virtual CISO” or a “Virtual Digital Security
Team” as a more affordable option to building & maintaining an in-house capability.

Employee Cyber Security Awareness

You’ve probably seen the news about companies around the world being hacked.
These are companies that have millions of dollars invested in technology and
have top-notch security professionals at the helm. While organizations invest in IT
security infrastructure, many of them lack in the biggest security gap: The User.
As increasing amounts of sensitive information flows across the network, new
platforms are designed to protect that information. However, the best security
technology in the world can’t help you unless employees understand how to
safeguard data and protect company resources. Security Awareness Training is a
critical component in protecting an organization’s most important asset – its data.
Training users to identify and avoid risks and make good judgements online are
critical elements of cyber security.
The key to leveraging security awareness training to protect your data isn’t just a
one-time blast – it’s a continual learning process.
In general, there are four types of objectives in security and risk management. A loopback
mechanism to assess the Cyber Security Training is another aspect to a comprehensive
Employee Cyber Security Training strategy. This mechanism would change employee
behaviour. One way to achieve this is to introduce mock attacks and measure them
from time to time. Mock attacks should be handled with great care and should include
communication with appropriate management stakeholders and often even the end
users. Security officers should select a mock attack that is relevant to their environment
and is likely to appear from cyber criminals themselves to get the best evaluation of end
user susceptibility to real attacks.

While security awareness training is one part of comprehensive information securityprogram

program, its effectiveness is somewhat negated by the simple fact that it only takes one
human to click on something bad to jeopardize the entire enterprise.
Organizations internal or Third Party sub-contracted Learning Management
(LMS) should be utilized to track progress of employees’ training sessions, testing
of concepts and answering knowledge based questions that allow an individual
to retain the information. These efforts should be supported by mangers of the
employees and considered part of an individual’s performance objectives. By having
all departments working together, will send a cohesive message to employees
regarding the high importance of security and the role in that effort.
Security Awareness Training Topics must include the following:
1. Physical Security
2. Desktop Security
3. Wireless Networks and Security
4. Password Security
5. Phishing
6. Hoaxes
7. Malware
8. File Sharing and Copyright
9. Cloud Applications

Would you know if a rogue employee stole your data?

I hope you answered “No” to the question, otherwise you could be in for a big
surprise! Let me explain….
Unless you keep your money under the mattress, you trust your bank to keep your
cash safe, right? Of course they no longer keep a pile of notes in a vault, and most
of the transactions consist of bits and bytes. Sometimes crooks get their hands on
your assets, but the banks are good at discovering this and covering any losses.
That’s not too difficult, because it’s pretty obvious that something has gone
missing. Back at the office, you put your valuable information (like trade secrets
or tomorrow’s quarterly results) in your company computer systems, safe in the
knowledge that your servers and networks are managed by trusted professionals
who are loyal employees of your firm. If something went missing, you would know
immediately, wouldn’t you? But that’s the fundamental issue with cyber security –
nothing goes missing, and everything is still exactly as you left it. There is no broken
glass or forced locks, and no evidence an intrusion, so of course you do nothing.
Meanwhile the thief has copied the data, and can exploit it or sell it without fear of
being discovered.

But they are vetted for that role?
Of course they are vetted. Sometimes by amateurs in your HR department, sometimes
by professionals in third party vetting companies, and sometimes by government
agencies. But it doesn’t really matter, because one-time screening will not find
someone who shifted his allegiance from his employers over a period of time. Could
your company re-screen its employees (and contractors) in these roles several times
a year? I doubt many IT professionals would tolerate that sort of intrusion, and they
would go to work for a more reasonable employer.
So what should we do?
Companies spend far too little on protecting their sensitive data. Typically only 2.5%
of your total IT budget is allocated to digital security. That is barely enough to build
and operate your defence mechanisms, and certainly not enough to implement the
proper vigilance onodd behaviour. Best practice calls for a segregation of duties,
where it would take at least two people in a position of trust to perpetrate fraud. The
accounting profession has invested significantly in “Separation of Duties” because
of the understood risks accumulated over hundreds of years of accounting practice.
For example, many corporations found that an unexpectedly high proportion of
their internal control issues came from IT, and so they insisted on SoD for that
aspect of their business. SoD is now becoming the norm in large IT organizations
so that no single person is in a position to introduce fraudulent or malicious code
or data without detection.

The two most common mistakes in cyber security

Based on our “due diligence” work with many companies, here are the two biggest
mistakes we see them making:
Technology creates the problem, so it must be the solution
Most companies look to their IT department to prevent breaches and detect
compromises by using an array of hardware, software and appliances. In reality,
most of the problems are caused by human behavior – innocent mistakes like
sending files to the wrong person, or sharing your password, or loaning your laptop;
malicious actions like fraud; and naïve response to social engineering attacks like
impersonation and identity theft. IT departments mistakenly believe that they
can block these behavioral characteristics by installing digital security products.
Of course we humans are clever enough to circumvent many of these controls,
especially if they get in the way of us doing our job. So while an audit of the technical
architecture can make the IT team look really smart, the same audit of the actual

workflows and processes can highlight lots of work-arounds and security shortcuts.
That’s why a number of companies have changed their governance model to have
the Chief Information Security Officer report to the CFO or the COO, rather than to
the CIO. Technology may have caused the problem, but technology alone will not
solve it.
Our goal is to achieve compliance.
This is the measure of success most used by the company executive committee,
because they lack a deeper understanding of the real risks. They simply want to
be convinced that the company is meeting its statutory and regulatory needs, so
that they cannot be accused of neglecting their duty of care. It’s the same mindset
as buying insurance just to make sure theFINANCIAL results don’t suffer any nasty
surprises. Compliance tends to consist of a checklist of mitigating actions, with the
inference that if you can tick the box then you are secure. This is a dangerous “illusion
of precision”, because mere compliance with an arbitrary set of regulations is totally
different from security sufficiency, and many compliant companies have big gaps
in coverage elsewhere and so fall woefully short of meeting a lot of common sense
criteria.Our advice is to use a third party to perform an audit of the current state
of your policies, architecture, processes and behaviors; then design a holistic set of
corrective actions; and then implement these actions by prioritizing the protection
of “the vital few” – your family jewels.

Mobile Device Security – A cause of Concern

Mobile has become a cornerstone of the global economy; use of mobile applications
continues to grow rapidly. The concept of there being an app for everything has
only moved further away from being a joke, and closer towards becoming a reality.
Staggering statistics across various reports indicate that mobile apps, fueled by
widespread adoption of mobile devices, are driving a new decade of opportunities
as well as cyber security concerns.
127 billion apps were downloaded for free in 2014, and there were over 11 billion
downloads of paid apps. Free app download volume is projected to grow to 253
billion downloads and paid app download volume is projected to grow to 14.78
billion by 2017.
Android dominated the Mobile Device Market with 85% market share as of Q2
2014, and Google Play worldwide quarterly downloads were about 60% higher
than iOS App Store downloads in Q3 2014.
According to an analysis by Arxan, of the top 100 paid and top 20 most popular free
apps reveals that a majority have been hacked:
• 97% of top paid android apps have been hacked
• 87% of top paid iOS apps have been hacked
• 80% of the most popular free Android apps have been hacked
• 75% of the most popular free iOS apps have been hacked
Unfortunately, the numbers aren’t getting better, in fact, for iOS, the numbers are
worse than last year. The percentage of the Top 100 paid iOS apps that have been
hacked increased from 56% to 87%, from 2013 to 2014, which underlines that the
iOS platform is also very susceptible to hacking threats and attacks. Additionally
under financial services 95% of Android and 70% of iOS Apps have been hacked.
In retail segment 90% of Android Apps and 30% of iOS apps have been hacked.
Similarly under Healthcare category 90% of Android apps were hacked, 22% of
these were FDA approved.

As mobile banking continues to gain widespread adoption, mobile banking
providers should put in place protections that:
• Prevent unauthorized access to mobile banking applications
• Prevent users from lifting sensitive information stored within mobile
applications
• Detect when the app is not behaving as designed at runtime – so as to reduce
risk of fraud
Hence it is suggested that organizations should consider mobile app
assessments to determine if existing apps are exposed to risks that are unique
to mobile environments. Also, as part of the mobile app development lifecycle,
organizations should conduct Penetration Tests that, among other things, should
assess vulnerability to reverse-engineering and tampering that can result from
unprotected binary code.
Tests should explore vulnerability to:
• Application Repackaging
• IP and Data Theft Exposure
• Cryptographic Key Exposure
• Application Tampering
• System Compromise

Modi says World is worried about Cyber security.

Speaking at NASSCOM, Prime Minister Modi said, “Is it not possible for us to create
a foolproof mechanism against cyber threats so that the world can sleep well?”
If a solution to this problem is not found soon, many would stop using internet
technology altogether due to concerns of safety and surveillance. This could create
a huge financial and functional shock for the industry.
Cyber criminals have made spectacular progress in creating penetration mechanisms
that far outstrip most company’s’ ability to defend them. They have moved from
backroom hacking into government sponsored activities. Their access to money and
resources is far greater than those of most organization’s detection budgets. This
has created a widening imbalance between their ability to develop new intrusion
techniques and your cost of defending against them. The cyber criminals are not
burdened by your existing infrastructure, applications portfolio, and organizational
complexity. In addition, they are very well organized and focused, while most
corporations still have disjointed solutions that have been built in pieces over time
with very little central organization.

People with malicious intent know that your systems and staff will be overwhelmed by
the sheer volume of alerts from your defense systems, so they set out to bombard your
systems to create an overload of “false positives”. That allows them to slip in a piece of
malware called an Advanced Persistent Threat (APT). Such technologies are extremely
difficult to detect and can sit inside the corporation for years before being activated —
sort of like sleeper cells waiting for orders. Once activated, they have proven to be quite
successful in obtaining sensitive information for years without detection, once again
by exporting your valuable information very slowly and quietly, unnoticed among all
the noise of your normal Internet traffic.
APTs (Advanced Persistent Threat) require a new approach
APTs require much more sophisticated prevention/ detection/ reaction mechanisms
that can evolve with the threats and learn from their activities to help predict
future behaviors. This is only possible through the use of solutions that can learn
from past and current behaviors and predict future activity. This is the emerging
breed of Artificial Intelligence tools, which can recognize the very weak signals
ofmalwareamong all the noise.
Artificial Intelligence is very similar to your own body. Our internal defense
mechanisms are designed to recognize external threats (like viruses) and defend
against them. These defense mechanisms continue to learn and evolve. A key
component of AI’s capability is anticipating future intrusions. By utilizing the
learnings from past activity trends, AI will evolve into a predictive tool, using all the
power and sophistication of “Big Data” analytics in use today. This is the focus of
much R&D activity in the cybersecurity product companies.