Article by Dwayne Melacon
I was just reading an article called, “4 Turning Points in Cybercrime History,” which talks about four breaches that have had significant repercussions in corporate infosec. That got me thinking about the flip side of that coin: what would a future headline look like if we’d made big progress toward better security? Take a look at some of my ideas, then add your own ideas in the comments.
1. Every enterprise adopts robust security configuration management (SCM) practices
In 2014, all enterprises recognized that one of the best ways to prevent breaches was to create secure infrastructure from the outset, after observing the resiliency of early adopters of strong security configuration management during the hail of cyber attacks in 2013.
Enterprises adopted reputable standards for secure configurations (many based on the Center For Internet Security’s guidelines), and implemented repeatable practices for creating secure infrastructure (servers, network devices, applications, etc.) This shift dramatically reduced the attack surface of enterprises, greatly increasing the difficulty of achieving a successful attack.
2. Enterprises become effective in top-down, risk-based security management
Rather then a “peanut butter” security approach that treats all IT infrastructure and data equally, enterprises shifted to a rigorous top-down, risk-based approach to security. This shift, which began in 2014, involves systematically identifying the role and value of each part of the IT “supply chain,” which enables organizations to apply their security resources proportionally based on how each infrastructure element supports their business or (in the case of Governments) their mission.
This risk-based approach has also driven better segmentation of network components, users, data storage, and the improved adoption of layered logical controls. Among other things, this approach has greatly reduced the risk of an attacker gaining access to a “minor” system in the environment and using that foothold as a way to gain access to more important / sensitive systems.
Enterprises also found that this approach enabled them to articulate the value of information security investments much more clearly to non-technical executives and stakeholders in their organizations, which decreased the amount of failed or under-funded security projects.
3. Enterprises adopt multi-factor user authentication, better password storage practices, and end-user security training
In conjunction with the move to top-down, risk-based security management, enterprises took to heart the fact that many attacks have historically taken advantage of weaknesses in the user community. This drove a move to multi-factor authentication (2 or more of the “something you know, something you have, something you are” triad) which drastically reduced the risk of user credential theft from compromised password database. Additionally, organizations began consistently using salted password hashes when storing passwords, as well as moving to open authentication protocols for user authentication.
This is another area in which the top-down, risk-based security approach has borne fruit, as enterprises have engaged in more rigorous review of user privileges and role-based access, which has helped in “right sizing” user privileges as they relate to mission critical systems and data using the “least privilege” principle of security.
To further secure the human element, most enterprises implemented security training to increase security awareness amongst the user population, making them less susceptible to social engineering, phishing, and other behaviors that enable “attacks of opportunity.” This approach, coupled with regular refresher courses and knowledge retention tests has been very effective in reducing users as an attack vector.
4. Enterprises use continuous monitoring to reinforce policies, create accountability, and drive cultural change
Continuous monitoring, which has been around for many years, finally became commonplace in 2014 and 2015. Using this approach, enterprises were able to monitor their systems continuously and compare all changes, activities, and data movement to objective policies. This approach enabled them to identify “outliers” early in their processes so they were able to recognize and reduce attack pre-cursors, configuration variance, anomalous user behavior and other issues that previously went unnoticed for months or more.
Furthermore, this enabled them to increase adherence to policies and practices by creating a “culture of accountability,” in which users and administrators realized they would be found out if they tried to take shortcuts or violate policies, and they began to increasingly do things right the first time, which reduced operational and security variance and increased the overall efficiency and effectiveness of their IT efforts.
These are four examples of what I’d love to see as future “turning points” in cybersecurity history (yes, I know – I’m not wild about the term “cybersecurity” either, but at least people know what you mean when you say it).
What about you? What would you add to the list of future turning points? Please leave a comment with your additions to the list.
Cross-posted from Tripwire's State of Security