When we think about adversaries in cybersecurity, it usually conjures images of well-resourced nation-state attackers, or hoodie-wearing hackers. But one of the industry’s biggest adversaries is a lack of trust. Suspicion is holding back security practitioners from sharing vital information with their peers, or with other industries, and it’s hampering efforts to improve security for everyone.
Those were the thoughts of Wendy Nather, speaking at IRISSCON, the Irish Cybercrime Conference held in Dublin. Highly respected in the information security field, Nather is head of advisory CISOs at Duo Security, a company that was recently acquired by networking giant Cisco.
Nather recalled her experiences in the retail sector, where companies wanted to keep their threat intelligence anonymous – if they wanted to share it at all. The problem was, the information was anonymised to the point of being meaningless; it didn’t allow others in the group to ask follow-up questions, or to delve deeper into the details of an incident.
“I spent a lot of time convincing organisations to trust each other, because, without that, you can’t share good threat intelligence,” she said. “It stops us from understanding what the real problems are. Lack of trust prevents us from working together to solve problems.”
“Without [trust], you can’t share good threat intelligence. It stops us from understanding what the real problems are… The future of security – cyber, if we must – is that if we’re going to be successful, it will be because we share information.”
Another industry veteran and security community activist, Jack Daniel of Tenable, gave a talk that touched on many similar themes. “The future of security – cyber, if we must – is that if we’re going to be successful, it will be because we share information,” he said. This approach allows other security professionals to learn, and enhances knowledge, because each person brings their own perspective to the job. In a call to arms, Daniel said: “We need to work on this, and we need to work together, or we’ll be screwed. Let’s at least be less screwed together.”
Over the years, IRISSCON has attracted influential and highly regarded industry figures to present, including Dr Jessica Barker, Mikko Hypponen, Jenny Radcliffe, Marcus Ranum, and the late Howard Schmidt, the former White House cybersecurity coordinator. Although many speakers in the security field work for well-known companies, their presentations invariably focus on sharing experience and passing on knowledge.
Nather also identified the quality that security practitioners need to nurture in order to make themselves more effective in their roles. “Being trustworthy starts with us,” she said. “We need empathy. It’s probably the most important quality. We need to earn trust, to understand our users. Without that trust, they will never use the tools that are supposed to keep them safe.”
In security, the concept of zero trust has a very specific meaning that refers to a way of designing network architecture and granting access to entities on it. Nather warned the assembled audience not to interpret the phrase as meaning ‘never trust anything on the network’. “When you trust somebody, you don’t trust them to do absolutely everything. You trust them to do one thing or a few particular things, and it’s not permanent – it changes depending on whether the risk is growing,” she said.
This approach extends to making security processes and tools less visible to non-technical users. Otherwise, they are less likely to abide by those rules. “If you can hide a lot of authentication from the user, they’re going to be a lot happier. If you never trust your users, they are never going to use what you build for them,” Nather said.
With these comments, Nather introduced another one of the other major themes of the conference: the role of the user and the need for the industry to make security easier for them. Javvad Malik, AlienVault’s chief security advocate, urged the industry to develop in line with the user’s needs.
“The less visible it is to them, the better,” he said. “We need to stop building security with a technology lens; rather, we need to build security around the needs of users. User experience, as Wendy mentioned, is a part of this, but it also means building security from the perspective of reducing the friction on the user and focusing on outcomes.”
“We need to stop building security with a technology lens; rather, we need to build security around the needs of users… [by] reducing the friction on the user and focusing on outcomes.”
Malik posited that if a user wants to be notified when an unauthorised person tries to gain access or make changes to, for example, their HR system, they aren’t concerned with how that process happens. “It doesn't matter if it’s a custom-built tool that does this detection, or machine learning, or some other process – all they are concerned with is the outcome: that they are notified at the right time when something untoward has happened,” he said.
Jacky Fox, who heads the cybersecurity and IT forensic practice at Deloitte’s Irish office, spoke about sharing intelligence in the context of the evolving role of the chief information security officer. She described it as a multifaceted role that encompasses strategy, advisory, and being guardian of an organisation’s digital assets, as well as a technologist.
A good CISO should take time to understand what their company’s business strategy is, and how to align that with its IT strategy. “As a CISO, you need to focus on greater collaboration and become a friend to the business, so executives feel they can reach out to you,” she said.
Many of the presentations covered information-sharing as a way for peers to exchange crucial threat intelligence, but Robert McArdle of Trend Micro looked at this issue from a different perspective. Employees often share information about themselves in ways that puts their organisation at risk. He referenced the incident in which the fitness app Strava gave away the positions of secret US military bases. McArdle said companies need to consider the potential security threats from similar kinds of scenarios.
“When you see popular new apps and devices, think about how that applies to your risk models, and whether you have to factor that in,” he warned. “How much your employees share online makes your organisation so much easier to target. Red teams know this, but many companies don’t – and they have no policy about what their employees can share about them on social media.”
“[Like] the incident in which the fitness app Strava gave away the positions of secret US military bases… ‘when you see popular new apps and devices, think about… whether you have to factor that in. How much your employees share online makes your organisation so much easier to target.”
Over-sharing – and the resulting risks – came into sharp focus during the presentation by Cliona Curley, programme director with CyberSafe Ireland. Curley focused on a specific set of internet users who are among the most vulnerable people online: the young. The non-profit group she founded promotes safer online use among this demographic. CyberSafe Ireland recently carried out research that uncovered some uncomfortable truths: 70% of 8- to 13-year-olds are using social media and messaging apps, despite the minimum age for those services being 13 to 16, in many cases.
“From a security perspective, think how much of a digital footprint they are leaving,” Curley said. Many children are playing online games from a young age, and some of these games have open chat areas that offer opportunities to predators. “You can’t have the conversation with kids ‘don’t talk to strangers’ because, online, they will be talking to strangers.” Curley’s talk was thought-provoking and offered some sobering reminders for both the parents and security professionals in the audience.
“70% of 8- to 13-year-olds are using social media and messaging apps… From a security perspective, think how much of a digital footprint they are leaving… You can’t have the conversation with kids ‘don’t talk to strangers’ because, online, they will be talking to strangers.”
Dr Richard Browne, director of Ireland’s National Cyber Security Centre, alluded to some of the reasons some organisations can be reluctant to divulge too much information, even in a private setting with peers. “Some bodies don’t like sharing information because they don’t like people ‘looking at their homework’,” he said. He pointed out that the centre is only concerned with incident response, not with auditing for compliance to industry standards.
Nevertheless, in its role as coordinator for managing cybersecurity incidents involving critical national infrastructure and government IT systems, the NCSC has statutory powers to request information where necessary. Voluntary information-sharing might be the ideal that IRISSCON’s speakers were urging for their fellow security professionals, but when the power of persuasion isn’t enough, it helps to carry a big stick.
Attackers and AI?
Several of the speakers at IRISSCON also addressed some of the technology trends driving cybersecurity, such as AI, full-stack security, and DevSecOps. The idea of attackers beating defenders using artificial intelligence is alluring and stokes the fires of hype, but Duo Security’s global advisory CISO Dave Lewis wasn’t convinced.
In his presentation, he said too many companies are still making elementary mistakes with their security, so attackers rarely need to deploy cutting-edge technology. “Attackers are not going to use AI to break into your systems. It is available to them, but when we keep making low-hanging fruit available, or making Amazon S3 buckets publicly available, they don’t need to go to that effort,” he said.
“Attackers are not going to use AI to break into your systems. It is available to them, but when we keep making low-hanging fruit available, or making Amazon S3 buckets publicly available, they don’t need to go to that effort.”
Lewis explained that many attacks that security teams investigate often turn out to be based on exploits that are known about for some years beforehand. “If we’re going to make it this easy for attackers, they’re not going to drop a zero-day vulnerability,” Lewis said.
Organisations need to realise that usernames and passwords have a monetary value for criminals and protect them accordingly. To illustrate his point, Lewis showed the growth in data breaches over the past two years, as visualised on informationisbeautiful.net.
He urged security professionals to build a risk register and to catalogue weak points in their organisation, along with a plan to address them. “How many times do we worry about the zero-day exploit and miss the Oracle patch from three years ago? Attackers are going to keep coming until we change the way we do things,” he said.
“How many times do we worry about the zero-day exploit and miss the Oracle patch from three years ago? Attackers are going to keep coming until we change the way we do things.”
Lewis’ point was echoed in a talk from Eoin Keary, CEO of Edgescan, a managed web-vulnerability and threat-detection service. Referring to recent security incidents at BA and Ticketmaster, attributed to the so-called hacking group Magecart, he said: “Most news-grabbing attacks on companies are pretty simple.”
Like Lewis, Keary urged the audience to see their systems as assets to be protected. “A lot of companies don’t know what they have, or what they need to secure. You can’t even start on the path of improving security if you can’t measure that,” he said. Protecting critical systems, applications and data, he added, is not a one-off exercise but an ongoing process. “Try to have a full-stack view of your assets on a continuous basis, rather than a pen test on an app.”
“Try to have a full-stack view of your assets on a continuous basis, rather than a pen test on an app.”
In this vein, Keary also referred to the drive in the industry towards DevSecOps as a way of building in better security from the start of the development process, and ensuring those checks are ongoing throughout the process as code is continuously deployed. He said the DevSecOps approach has the potential to identify vulnerabilities more frequently by using automation, although he cautioned that tools alone won’t fix the problem of insecure code.
Checking a system at one point in time might get a security team on the right side of a compliance audit, but it’s no guarantee of protection. “Even if you stay still and don’t change your code, tomorrow some vulnerability is discovered and you’ll be at risk,” Keary said. “The goalposts and the ground beneath you keep moving. We’re in an era of constant change, of constant deployment. Change gives way to risk, and risk gives rise to breach.”
“We’re in an era of constant change, of constant deployment. Change gives way to risk, and risk gives rise to breach.”
In the afternoon keynote, Secure Mentem president Ira Winkler developed the theme of security that changes and adapts. One of the world’s most influential security professionals, Winkler calls this approach ‘advanced persistent security’. Rather than working from a premise of keeping malicious attackers out, Winkler believes security teams should start by ‘assuming failure.’ “Everybody who’s an attacker who’s good assumes failure,” he said. “They never assume they’re going to get in on the first try. They’re always on the lookout for the next step they have to take.”
“Design a programme that expects failure. Good security is about protection, detection and reaction.”
The purpose of a security programme is not to stop bad guys getting in; it’s to stop them from getting out with valuable data and achieving their goal. “Design a programme that expects failure. Design a programme that expects the bad guys will get on your network. Put proactive measures in place to detect when they get in and then react appropriately.” In a line that summed up much of the lessons for security and IT professionals from the conference, Winkler said: “Good security is about protection, detection and reaction.”
This is the 10th successive year that IRISSCON has taken place, making it the longest running conference of its type in Ireland. IRISSCERT, the group that runs the conference, was Ireland’s first computer emergency response team, operating on a voluntary, non-profit basis. Brian Honan, an information security consultant who set up IRISSCERT in 2008, drew parallels between the cybersecurity landscape then and now, reflecting the extent to which security has become more prominent in the intervening era. “There were 448 security incidents reported to IRISSCERT in 2008. This year, the figure is close to 30,000,” he said.
According to recent data from the European Commission, 80% of European companies experienced at least one cybersecurity incident last year. Security incidents across all industries rose by 38% – the biggest increase in the past 12 years. In some EU member states, it’s estimated that 50% of all crimes committed are cybercrimes.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]