Whatís Next for Cybersecurity
by Brandi Scardilli
With the Equifax and other recent hacks still fresh in people’s minds, for Information Today’s annual predictions issue I decided to look to various IT companies for guidance on the current state of cybersecurity, how organizations can improve it, and where they think it will go next.
|"Itís not a question
of if vulnerabilities
will be exploited, but
First, a few definitions. Isaac Kohen (CEO and founder of Teramind, an employee monitoring and insider threat prevention platform) shares what organizations need to know when planning a well-rounded security strategy:
- [W]hen we talk about risk management, to me it means being able to quantify the chances that information can be maliciously leaked or accidentally shared. For example, when an organization allows employees to use social media at work, they might think they’re being nice by not blocking access, but they don’t think about the fact that social media messengers allow attachments, which means employees can send data to outside sources via social media.
- Insider threats are what risk management tries to curb. Some insiders are malicious—unfortunately there are people who don’t feel loyal to their organization and share privileged data with outside sources who can benefit from the knowledge. Other insider threats are accidental—they don’t realize they’ve exposed your data, and those can be extremely dangerous as well. This usually happens when they follow their daily habits that might break company policy, which means if you’ve found out about one incident, there is a high chance there were many more incidents.
- Cybersecurity is really about focusing on threats from outside your network, so it differs from insider threats but is connected. Many times people from the outside target your employees, and the difference between a company that gets hacked or their data compromised is often employees that are aware of security policies and the threats that remain out there.
SolarWinds MSP, an IT service management solutions provider, issued a report on Oct. 30 stating that “four out of every five businesses across the US and UK will change how they deal with security in the coming 12 months” (globenewswire.com/news-release/2017/10/30/1160038/0/en/80-of-Businesses-Plan-to-Change-Their-IT-Security-Management-in-the-Next-12-Months.html). Nearly half (49%) of the 400-plus companies surveyed are planning to outsource their security for the first time next year. While 25% say this is due to the cost of handling security internally, 24% “want to outsource it to improve performance.”
Both businesses and libraries benefit from adopting the best possible security measures. One area they can start with is the use of strong passwords throughout the organization.
Identity management provider OneLogin published a report showing that using weak passwords is posing unnecessary risks to U.S. businesses (prweb.com/releases/2017/10/prweb14768123.htm). While 87% of the more than 500 IT decision makers surveyed believe their password protection policies are sufficient, OneLogin finds that they are actually not enforcing the use of strong passwords. About 25% of respondents don’t require company passwords to have a minimum length, and 54% have users rotate their passwords quarterly. Organizations could adopt technologies that help them strengthen password management, such as multifactor authentication (MFA; more than one assessment for determining someone’s identity). Only 36% of respondents said they use it within their company, and 34% use it for external access.
Alvaro Hoyos (OneLogin’s chief information security officer) says that “IT teams face a perfect storm of challenges related to password security.” He describes three challenges they’re coming up against: the lack of an identity and access management (IAM) system for enforcing password policies (such as a minimum length) across applications, no support for authentication standards for exchanging data (such as SAML or OpenID Connect) that would “remove the burden of passwords from the login workflow and enable Single Sign On,” and the rise of Shadow IT (applications used by employees that the IT department doesn’t know about).
Hoyos has solutions for confronting these challenges:
- Adopt an IAM system, which is “a baseline requirement for centrally managing and securing” both cloud-based and in-house applications.
- Request that all organizational teams that buy or subscribe to applications use vendors that support SAML or OpenID Connect.
- Find those Shadow IT applications. “A simple starting point is to partner with your finance department to report all expensed application subscriptions. No one is going to let an app subscription go unexpensed. For this reason, the greatest source of truth of Shadow IT usage lies in company expense reports. Other methods include using proxy solutions that help secure your company’s traffic and also provide insight into the applications that are being used by your personnel.”
- Embrace MFA organizationwide. “In the event of a password compromise, MFA provides an additional layer of security.”
According to Teramind’s Kohen, insider threats are a growing problem for every industry. Credit card data, personal health records, and other sensitive information are targeted not just by outsiders, but by those engaged in “company espionage.” Now that employees are more likely than older generations to hop from company to company throughout their careers, organizations need to be sure to safeguard their intellectual property.
Kohen says it’s important to have strict policies for protecting data and prioritize their enforcement. If organizations learn what policies are violated most often, they can explain to employees why it’s risky not to follow them. They should also learn which employees violate security policies so they can monitor their activities directly. Teramind helps its customers with “risk scoring,” which keeps track of policy violations and high-risk employees. As threats evolve, they can add more types of risks they come across. (See Figure 1 for an example of Teramind’s risk dashboard.)
Kohen’s general best practices for good risk management are:
- Identify the data you want to protect.
- Monitor the day-to-day actions of users so that if they do something suspicious, the difference in behavior will be immediately evident. Detecting anomalies in user behavior is a key component of eliminating insider threats.
- Encrypt all sensitive data.
- Restrict access to datasets that aren’t necessary for the day-to-day operations of the organization.
- Train employees on potential risks and why particular policies have been implemented.
Jason Pfeiffer (VP of incident response at ReliaQuest, a provider of custom solutions for IT security) sees malware, especially ransomware (having to pay ransom money for your own stolen encrypted files), as the major force in outsider threats.
He says organizations should focus on the fundamentals of cybersecurity, such as keeping software up-to-date and deciding on the appropriate access levels for each employee. “While attackers can be sophisticated, they do not fail to take advantage of ‘low hanging fruit’ to gain access to organizations and critical information.” To that end, it’s important to be as protective of personal online information as of physical belongings, he says. The rest of his best practices for security include:
- Be skeptical about organizations or individuals that ask for your personal information.
- Ensure that any sources of your data, such as Dropbox or Google Drive, require passwords and two-factor authentication.
- [B]e selective about what information you share online.
Dennis Borin (senior solutions architect at EfficientIP, a network infrastructures provider) shares his expertise about security risks in higher education, but many of his suggestions could apply to any organization. He says that because students have multiple IP-enabled devices—laptops, smartphones, etc.—the IT department can’t possibly know if all of them are secure. If a campus network is under attack, he says, the variety of devices on the network means it will be difficult to respond instantly and with the right countermeasures.
If student data is stolen, the university’s integrity could be called into question, whether from bad press, decreased enrollment, or other adverse effects. “Smaller Universities may take a longer time to mitigate and restore services after a DoS [denial-of-service] attack, because they may not be as well staffed,” so they need to set up a system for automatically detecting and mitigating attacks. IT departments in all universities should remember that “tying all of the access controls to a centralized authority management system is critical. Additionally, as administrators change positions within the University or possibly leave, the correct user rights need to be granted and updated as required.”
Borin suggests three solutions for avoiding possible attacks:
- Evaluate mission-critical services and update them to align with current best practices.
- Update the security system and apply the appropriate access controls.
- Deploy solutions that use behavior-based analytics (i.e., predicting future actions based on past behavior), not signature-based ones, to identify threats.
The most critical services on a network are DNS (domain name system; everything connected to the network) and DHCP (dynamic host configuration protocol; parameters for IP networks). Borin recommends EfficientIP’s DNS Guardian, which “can be used to mitigate threats for unsecured student network devices.” According to its website, “DNS Guardian offers adaptive security to DNS cache and recursive services by detecting threats and activating adapted counter measures to ensure DNS services continuity and attack mitigation” (efficientip.com/products/dns-guardian).
Borin also advises making access management uniform across all of an organization’s systems and tools, getting rid of old and outdated user accounts, and changing from general DNS/DHCP software solutions that have mission-critical services as add-ons to ones with built-in security measures.
And now for these IT experts’ predictions for 2018 and beyond. Pfeiffer says, “Cybersecurity continues to evolve as the world become more reliant upon technology,” so being proactive about mitigating risks is key. According to Hoyos, organizations are already starting to understand the importance of using longer passwords (or even passphrases) that have the goal of “increasing entropy,” not just mixing together numbers and letters.
Hoyos believes that the use of MFA technology will increase. MFA includes biometrics, behavioral, and temporary tokens, “not just as a second or third factor for passwords, but in some cases it will replace passwords outright.” In response, “regulations around MFA information that is also considered personal data will increase and add another level of complexity to authentication factors; more so than passwords currently do.”
Pfeiffer and Borin both say that the expansion of the Internet of Things will lead to more attacks. This means that threat sources could become more obscure, says Borin. “DoS and DDoS [distributed denial-of-service] attacks are going to become more prevalent, not only to external network targets, but also increasingly toward internal targets.” It’s not a question of if vulnerabilities will be exploited, but when, he says.
Kohen agrees that insider threats need to be taken seriously. “Most organizations are still mostly focused on threats from the outside (and they should continue to be worried as hackers become more advanced),” he says. “There needs to be a larger focus on securing data within the organization. Once data is out there—there is no turning back—companies need to focus on the preventive side.”
Pfeiffer says that while solutions such as artificial intelligence and machine learning may seem promising, “they are not quite ready for primetime and will always require the right people to analyze their outputs. The security space is always in a state of evolution; Change is the only constant.”