ReThink: Cyber Security Approach

As we wind up on 2016 and move into 2017; I would like to share my thoughts on how we as security professionals and leaders should approach to security threats in this new era of technology evolution.

As we have seen a huge spike in data breaches this year and as well as various forms of threats (like targeted phishing attacks, ransomware attacks, DYN attacks (Mirai botnet)) impacting many large, medium and small organizations across the world. Not many organizations can spend time and resources in identifying the Advanced Persistence Threats (APT) in their environments and these threats can have a disastrous impact and can bring down the businesses completely.

From what we all observed; year on year there is a constant increase in the kind of attacks that are being used by adversaries to have a negative impact on organizations and as well as our economies.

On one side adversaries are after targeted organizations and on the other side there is a huge rise in the nation-state cyber-attacks which could cause a catastrophic impact on the national and global economies.

Nation-state actors have different motives when involved in cyber-attacks. One nations motive is different from others. For e.g. China has a different motive when they attack USA and likewise North Korea has different motive when attacking South Korea. Overall to generalize the motive behind these attacks is to destabilize the governments and economies in the targeted nations. We are just beginning to see the tip of an iceberg; As we move forward we must and every country must be ready to identify, detect, protect, react and recover with the least minimal impacts. “Let’s defend and protect our Critical Infrastructure Environments”

As we all know there is no such thing as 100% secure. At some point every entity is or will be impacted by a cyber-attack; All we strive is be prepared with appropriate counter measure techniques/controls in place to come out of the attack with a minimum or a zero impact.

As we transform to the next generation, the evolution and adoption of technologies by humans will change significantly. I won’t be surprised, 50 years from now; if driving a car is a history. We are already seeing the innovations how we are using technology and digitalize everything. With all the transformations in the things that we use, the way we commute and every other Thing out there will be tied to our identity. (Who you are, are you who you say you are)

The Big question is; Is our Identity Secure? Is it Protected? Can we rely on our Identity in the future? What happens if someone impersonates you?

This is Scary, right? and Identity is just one piece of the puzzle. There are many other pieces that needs to be considered before driving security. One in many other pieces of the puzzle is the culture towards Security within an organization.

Not always; but mostly, we as Security Professionals constantly whine that business doesn’t understand security. For e.g. Development teams doesn’t understand what XSS means or what a SQL injection is. This could be true in some cases because of lack of awareness on application security vulnerabilities and their focus is to deliver the functionality that was requested by their business stakeholders.

But, I would like to flip the coin and ask ourselves; how many of us as security professionals have a clear vision or an end goal on what we need to accomplish. Do we take a consistent approach on how we approach and integrate security? Similar to Developers who doesn’t understand application security vulnerabilities; we have security professionals who are inexperienced and doesn’t really understand the real-world situations. I get it, we are not and will never be experts in everything.

Having been in this industry for almost nearly 2 decades; I would like to share and recommend my approach to cyber security. Let’s jot down some rules on how we can take a consistent approach for implementing security controls to enable our businesses partners.

Here are few key security principles that should be considered while designing security for enterprise or product solutions. In many cases, Traditional Security Controls do not apply for certain technologies especially in cloud environments. Appropriate measures should be taken and where possible we should reduce the human interventions by automating certain security controls where ever applicable.

• “Defense in Depth”
• “Assume your assets are in Zero Trust Environments”
• “Assume no confined boundaries”
• “Build your environments in a way that you can Recycle (destroy and build fresh) periodically”
• “Always, Security must be a business enabler, not the otherwise” 

Almost every organization has a Security Team reporting into CIO, CTO or sometimes directly into CEO in some cases; depending on the size and structure of their respective organization. As we all know there will be a huge impact in any organization if the culture starts from the top-down management chain. Likewise, Security Leadership team (SLT) should act as a beacon and lead the security team members to do the right thing; and as well SLT must take the ownership to define the overall objectives and considerations on how the security teams must approach to enable business. I would like to refer this as a Security Bible. (what SLT expects from security team members within an organization).

Here are few of my mantras (not limited) what I personally would like to provide to security teams on how they should have a consistent approach to drive security across the organization.

• A Security Function within an Organization must start with a mission statement. It could be a simple one but, must be a driver to enable your business. Many a times lack of objective is the first step for failure.
• Knowing your environment/landscape is very important no matter how big your organization is.
• As we adopt more and more of cloud technologies in various forms to run our businesses; Security becomes pivotal for any organization. One cannot assume cloud providers be responsible for security.
• As you define and build security controls for your organizations, always assume that there is no trusted perimeter defined for your organization. We all could be in a feeling that we are in a trusted network; but, in many cases this is not accurate.
• Human are the weakest link. There is no easy way to fix this. Security Awareness programs must be initiated across the organizations and individuals/teams must be rewarded for making a difference in adopting security practices.
• Always a good practice to apply security controls at the origination points. For e.g. Data encryption on personal identifiable information must happen at the application layer (when data being entered) not after the data is stored in the database. As mentioned before always assume your building security for “Zero Trust Environments”. That being said don’t create complexity into your architectures.
• Engage business stakeholders in security discussions
• Always apply “Security by Design”
• Integrate Security into SDLC - Secure SDLC which ensures an Organization's security best practices and Standards are incorporated into SDLC right from the requirement gathering phase.
• Think Big
• Design Simple, Secure, Scalable and Reliable solutions.

Security is a two-sided coin; one side relates to a “feeling” and other side relates to “Reality”.

Always focus on Reality – Data & Facts are Critical!!