Tag Archives: IT Security

How to practice cybersecurity (and why it’s different from IT security)

Cybersecurity isn’t about one threat or one firewall issue on one computer. It’s about zooming out and getting a bigger perspective on what’s going on in an IT environment.

Credit: Thinkstock

Keeping companies safe from attackers is no longer just a technical issue of having the right defensive technologies in place. To me, this is practicing IT security, which is still needed but doesn’t address what happens after the attackers infiltrate your organization (and they will, despite your best efforts to keep them out).

I’m trying to draw attention to this topic to get security teams, businesses executives and corporate boards to realize that IT security will not help them once attackers infiltrate a target. Once this happens, cybersecurity is required.

In cybersecurity, the defenders acknowledge that highly motivated and creative adversaries are launching sophisticated attacks. There’s also the realization that when software is used as a weapon, building a stronger or taller wall may not necessarily keep out the bad guys. To them, more defensive measures provide them with additional opportunities to find weak spots and gain access to a network.

This mentality goes against the fundamental principle in IT security of erecting multiple defensive layers around what you’re trying to protect. By separating what you’re trying to protect from the outside world, you’re keeping it safe—at least in theory. While this works in physical security, where IT security has its roots, it doesn’t really work when you’re facing enemies who need to be successful just once to carry out their mission. Defenders, unfortunately, don’t have this luxury. They need to catch every attack, every time. Don’t take this statement as a knock against these antivirus software, firewalls and other defensive technologies; they’re still needed in conjunction with cybersecurity.

Cybersecurity means looking for attacker footholds, not malware

IT security and cybersecurity also differ on what action to take after an attacker breaks through your defenses. In IT security, when a problem is detected on one computer, it’s considered an isolated incident and the impact is limited to that machine.

Here’s how that scenario typically plays out: Malware is discovered on the controller’s computer, for example. An IT administrator or maybe a junior security analyst removes the machine from the network and perhaps re-images it. Maybe there’s an investigation into how the computer was infected and a misconfigured firewall is identified as the culprit. So, the firewall configuration is changed, the threat is neutralized, the problem is solved, and a ticket is closed. In IT security, where the quick resolution of an incident is required, this equals success.

Now, here’s how that same incident would be handled from a cybersecurity perspective. The team looking into the incident wouldn’t assume the malware infection is limited to one computer. And they wouldn’t be so quick to wipe the machine clean. They may let the malware run for a bit to see where it phones home and how it acts.

Most important, the incident wouldn’t be seen as a random, one-off event. When you apply a cybersecurity lens to incidents, the belief is that every incident is part of a larger, complex attack that has a much more ambitious goal besides infecting machines with malware. If you close a ticket without asking how an incident or incidents are linked (remember, attacks have many components and adversaries commonly carry out lateral movement) or where else attackers could have gained a foothold, you’re not doing your job.

To practice cybersecurity, zoom out

Practicing cybersecurity begins with security teams changing their mindset around how they handle threats. To start, they need to be encouraged to not quickly close tickets and spend time looking for a full-blown attack in their environment. They also need to understand that cybersecurity isn’t about one threat or one firewall issue on one computer. That view is much too myopic. Zoom out for a bigger view.

I admit this approach is a radical departure from how most organizations currently handle security. Further complicating this perspective is the fact that what I’m proposing can’t be learned in classrooms or professional development courses. The notion of experience being the best teacher applies to figuring out cybersecurity. Step one is thinking like a detective and asking questions about the incident like why was this attack vector used, are there any strange activities (however minor) occurring elsewhere in my IT environment, and why would attackers target our organization.

It’s this big picture thinking that separates cybersecurity from IT security. And it’s big picture thinking that will help companies detect and stop adversaries after they make their way into an organization.


IT Security Vulnerabilities that Can Lead to an Inside Job

Vlad de Ramos, a 22 year veteran at IT Management and IT Security, guest blog writer today, giving us some practical advice on IT Security Vulnerabilities.  What a timely piece of writing.  So many industries are facing security issues today both external and internal.  Vlad will cover how to take steps to guard your business from all fronts.  Please help me welcome Vlad to TheDigitalAgeBlog.

Data breach can happen to anyone and IT security failures are not only damaging and costly for businesses, but customers would suffer as well, and people lose their jobs too.

In a study conducted by Scott & Scott, LLP, researchers found that 85 percent of businesses suffered a breach in their data security. Despite the prevalence, about 46 percent did not employ encryption solutions following the IT security failure. About 74 percent of the companies surveyed report losing customers, while others faced potential lawsuits (59 percent) and fines (33 percent).

It’s not enough that you guard your business against outside threats. There are many dangers inside the organization that should be managed before they can cost your leadership team their jobs and the business its integrity.

Companies who take IT security seriously should guard their business against all fronts. Unfortunately, many companies admit that they are still lacking in terms of securing safety from the inside. And one of the reasons many organizations fail to set up effective safeguards is because they are in denial about the magnitude of IT security threats stemming from an inside job.

Here are some of the reasons your employees can contribute to IT security failures.

Inside Insider Jobs

There are a variety of reasons a company’s very own employees can take part in inside jobs such as financial gain, desire for power and recognition, revenge on a co-worker or boss, and response to blackmail from inside and outside the organization.

Some employees are lured into inside jobs due to their loyalty to some people in the organization or to colleagues who recently left on not-so-good terms, while others do it for personal and political beliefs.

There are also insider jobs that are linked to activist groups and organized crimes. In a 2012 report by Carnegie Mellon University’s CERT (computer emergency readiness team) Insider Threat Center, researchers found that out of 150 cases of IT security failures analyzed, about 16 percent were linked to organized crime.

According to a psychologist, Monica Whitty, from the University of Leicester, employees who “willingly” assist in IT security attacks may be suffering from one or more of the following conditions: narcissism, psychopathy, and Machiavellianism, which is defined as the “the employment of cunning and duplicity in statecraft or in general conduct”.

In a 2013 study by Centre for the Protection of National Infrastructure (CPNI), findings showed that people who engage in insider attacks might have two or more of the following qualities: low self-esteem, lack of ethics, immaturity, tendency to fantasize, impulsiveness, lack of conscientiousness, instability, and manipulativeness.

Regarding work behaviors, the CPNI study found that insiders often engage in unusual copying jobs such creating copies of sensitive materials beyond what is necessary and removing protective markings on documents when creating their own copies. Insiders also often engage in usual IT activities such as searching for keywords in a company-sensitive database.

Management Vulnerabilities

Motivations and unusual behaviors are just one side of the story.

The lack of an effective IT security protocol opens up vulnerabilities within the organization that employees can use. Some of these include:

  • Administrator and other privileged access that aren’t monitored.
  • Unattended company devices such as USB’s and laptops.
  • Hard drives that weren’t properly disposed.

But even with an advanced security practice, human error can still pose a threat. Most of the time these are innocent mistakes due to the lack of knowledge in IT security. These include improper file transfers, illegal uploads and downloads, as well as using personal devices in the workplace for business purposes.

In other cases they are intentional because of management issues. Disgruntled, burned out, and dissatisfied employees can turn to accomplices. The Verizon Data Breach Report 2016 have found that employees transferred data via USB before they left the company. Companies who have fraud detection were able to weed out the employees who provided information in weeks, but those who don’t identified them in months or years.

Secure Your Posts

Don’t just look for loopholes in the IT infrastructure. In ensuring the safety of your business and customers, you also have to analyze the status of the people within your organization. Ensure the security of all your posts by looking not just outside in but also inside out.
Please feel free to comment on Vlad’s post.

Vlad de Ramos has been in the IT industry for more than 22 years, focusing on IT Management, Infrastructure Design and IT Security. He is a certified information security professional, a certified ethical hacker, a forensics investigator, and a certified information systems auditor. Vlad joins Homegrown.ph to help increase knowledge on IT security awareness in the Philippines. Outside the IT field, he is a professional business and life coach, a teacher, and a change manager.