LONDON, United Kingdom May, 12 2015 – Another excellent morning discussion, this time hosts by our friends at Field Fisher.
The somewhat provocative title was immediately dismissed as last year’s news. As well as pegging the trendy buzzword of CyberSecurity to the more familiar and prosaic Information Security (InfoSec), the participants were in agreement that privacy and security are de facto non-existent in today’s world (“If the NSA can’t stop Snowden, what chance do the rest of us have?”); the issues, rather, are about how to ensure how each piece of information is appropriately protected, according to its value.
Insider and external threats
The threats fall broadly into external and insider issues. External ‘hackers’ could be state-sponsored, terrorists, military, corporate or private. The total weight of resources at their disposal can outgun any company (but, it was pointed out, if “companies pooled their resources, they in turn would far outweigh the bad guys”). Internal threats come from disaffected employees, mistakes and accidents, and the continual changing of the IT infrastructure that requires the constant rebuilding of the ‘walls’ designed to keep intruders out, and inevitably introduces errors.
The discussion then moved to a topology one, the perimeter approach being largely felt to be outmoded and ineffective, a musing on deep packet inspection and the general desire to throw ever faster hardware at the problem, a desire that will ultimately be thwarted by the huge amounts of data that can be thrown at a server in a DDoS attack, for example, and by the emergence of billions of new endpoints in an ‘Internet of Things’ future scenario. In fact, the problem in general can be characterized as a management issue rather than a technical one alone, and the C-suite needs to embrace the challenge, not palm it off on the CTO/CIO.
So, as an example, replacing a perimeter approach is the layered approach mentioned above. Layered not just as in layers of security piled on top of each other but also through separation. Send/store data in separate ways, using different encryption, and splitting up sensitive information so that if one method is breached, the bad hat intruder does not have enough to do damage.
Culture v. technology
As a counterpoint to the technological approach to Cyber Security, it was pointed out that, building and maintaining the right culture within organizations was a more effective way to go. As well as eliminating insider threat, it allows companies to ensure that staff do the right thing when it comes to sharing data with each other and beyond (and, after all, companies want and need to share certain data with their customers, partners and others). Since every security system makes it harder for employees to do their jobs, they will “always look for ways to get around it, to make their lives easier”.
As alluded to above, senior management cannot delegate threat response to the IT department – it goes far beyond the technology alone: “If you make the tech geeks run security alone, you will fail”. And middle management must also buy in, in order for the culture of doing it right to be effectively spread throughout.
Of course, technology will improve (and can be adapted by both sides) but some interesting points were made about the IoT and how manufacturers are planning ‘SkyNet’ like ‘auto-immunity’ from viruses – multiple-layer architectures that can detect problems in previous levels, isolate and even solve them, as well as replicating the same concepts across devices, allowing breaches to be contained and eliminated. The concept of URL hopping was also discussed (Cloakware was given as an example), although it was also pointed out that smartphones constitute a huge and current threat that is still not adequately covered.
Porous, by design
Summarizing the discussion, the key points that came out were that security and privacy are never going to be complete or absolute in a world where companies need to share data beyond the firewall, but that there are technology-based ways of improving the odds (encryption, separation for example) and that the right culture is every bit as important. Even disregarding IoT, there are plenty of unresolved areas to be addressed, such as mobile, and that as a whole, organizations could, if they wished, create much better outcomes by sharing data on techniques and attacks in the same way as the attackers already do.