Category: Cyber Security

Introduction

I am a staunch advocate of the consideration of human behavior in cybersecurity threat mitigation. The discipline of behavioral ecology is a good place to start. This subset of evolutionary biology observes how individuals and groups react to given environmental conditions — including the interplay between people and an environment.

The digital world is also a type of environment that we have all ended up playing in as computing and digital transactions become ever-present in our lives. By understanding this “digital theater,” we can determine a best-fit strategy to produce an effective cybersecurity play that optimizes security budgets.

Why having an effective strategy is important

I’ll offer up an example from nature to show the importance of an effective strategy. You may read this and wonder what it has to do with cybersecurity, but bear with me.

Starlings feed their chicks with leatherjackets and other insect larvae. During nesting season, the starlings work hard finding food and relaying it back and forth to the nest of chicks. If you’ve ever observed any bird during this season, you might have noticed by the end of it, they have lost feathers and look pretty beat up. But the sacrifice is important: effective feeding of chicks will produce fledglings that then go on to reproduce. Reproduction is seen as a success in evolutionary terms.

However, starlings are capable of carrying more than one leatherjacket in their beak. The more they can carry, the fewer trips they need to make. Fewer trips mean the parent starling is less likely to fall foul of bad health or predators. However, there is a tradeoff. To find the leatherjackets, the starling has to forage. Too many leatherjackets in the beak and it becomes harder to forage. The optimum number of leatherjackets is a trade-off between the number of trips and foraging efficiency.

Any strategy that plays out in the real world is a balance: a trade-off between what seems to be optimal and what is strategically efficient. The starling could try to cram lots of larvae into its beak and this might seem to be a show of capability and a great strategy, but in the end, it would just be a piece of theater.

In evolutionary biology, this balance is known as an Evolutionary Stable Strategy, or ESS. In nature, this would be a strategy that confers “fitness” so an organism can reproduce at an optimal rate. The concept behind an ESS also applies in cybersecurity, where fitness is also about finding a best-fit strategy for a given environment.

Security, like feeding chicks, is about knowing how to use the right tools for the job in an optimal manner and not just for show. This creates a fine balance that can help optimize a security budget.

Security and trade-offs: A complex equation

Enough of the biology lesson! Back to cybersecurity. The security industry, like most industries, has a culture. This culture has informants, people in your company who influence decisions and people outside such as vendors who sell security products. The result can be an overwhelming cascade of information. This can lead to decisions that are based on less-than-optimal input.

Back in 2008, security man extraordinaire Bruce Schneier wrote a treatise entitled “The Psychology of Security”. In this, Bruce talks about how security is a tradeoff. He goes on to explain how these trade-offs, which often come down to finding a balance between cost and outcome, are actually much more nuanced. Bruce says that asking “Is this effective against the threat?” is the wrong question to ask. Instead, you should ask “Is it a good trade-off?”

Security teams can be put under enormous pressure to “do the right thing.” An example is the recent ransomware attack on Garmin. If you are being effectively held hostage by malicious software that prevents your business from running, you have to do something and quickly. Garmin is reported to have paid the ransom of $10 million.

But was this a shrewd move? Was the trade-off between business disruption and hope of a decryption key a balanced one? When making that decision, there are multiple considerations. Can the company offset the cost of the ransomware? Will the decryption key end the attack or have the hackers installed other malware into the company’s IT system?

Security systems, like biological ones, are reliant on making good trade-off decisions to move the needle of security towards your company’s safety.

Back to basics to optimize security trade-offs

Security can be a costly business. Solutions, services and platforms all need to be costed and maintenance and upgrades factored in. And the choice is astounding. In terms of just startups in the cybersecurity sector, there were around 21,729 at last count. The amount of spending on cloud security tools alone is expected to be around $12.6 billion by 2023.

Getting the balance right is important. An organization must cut through the trees to see the wood. In doing so, the balance of financial burden against cyber-threat mitigation can be made.

Going back to basics is the starting point. There is little point in putting on a security show with the latest in machine learning-based tech if you misconfigure a crucial element so the data becomes worthless. At this point in history, machines are nothing without their human operators. We have to get back to basics, build a strong strategy and culture of security before layering on the technology.

The basics, human factors and a great security ESS

Weaving this together we can ensure optimization of a security budget through an awareness of strategic security considerations, e.g.:

The basics

The fundamentals of security are covered by several frameworks and general knowledge of Operations Security (OPSEC). Frameworks such as Center for Internet Security (CIS) and NIST-CSF set out basics for a robust cybersecurity approach. These include knowing what assets (both digital and physical) you have and how to control access.

The human factors

Cybercriminals place a focus on using humans to perpetrate a cyberattack. This is inherent in the popular tactics of social engineering, phishing and other human-activated cybercrimes. Employees, non-employees (e.g., contractors), supply chain members and so on all need to be evaluated for risk. Mitigation of the risk levels can be alleviated using several techniques:

• Security awareness training for all: Teaching the fundamentals of security is an essential tool in a cybersecurity landscape that focuses on human touchpoints. But security awareness needs to be performed effectively. Some training sessions feel more like those old-school lessons that ended up with snoozing students. Modern security awareness is engaging, interactive and often gamified.
• The issue of misconfiguration: It isn’t just employees clicking on a malicious link in a phishing email that is cause for concern. Loss of data due to misconfiguration of IT components cost companies around $5 trillion in 2018 – 2019. Security awareness training needs to extend to system administrators and others who take care of databases, web servers and so on.
• Patch management. Like misconfiguration, ensuring that IT systems are up to date can be the difference between exposed data and safe data. This process has been complicated by the increase in home working. But this fundamental piece of security hygiene is as vital as it ever was.

Never trust, always verify

The concept of zero-trust security has highlighted the importance of robust identity and access management (IAM). The idea behind this tactic is to always check the identity of any individual or device attempting to access corporate resources. Zero trust defines an architecture that puts data as a central commodity and trust as a rule to determine access rights..[…] Read more »….

In diverse industries, video analytics help security to get a clearer view.

As a rule, there is a lot that video analytics can do to bolster security – whether that’s motion detection for perimeter security; facial recognition for access control; or artificial intelligence (AI) for object classification, to name a few of the possibilities.

As we consider the promise of video analytics in seven key sectors, a common theme emerges. Analytics don’t just enhance the security mission, acting as a force multiplier and driving new levels of awareness and insight. They also boost the position of the security professional, enabling security to leverage its investment in video as a means to drive new levels of efficiency across all levels of the operation.

K-12 Schools

In a K-12 school, where a security officer may need to watch over a large and complex facility, analytics and AI can expand that guard’s reach. “There is the security component from something simple: Was a child left on the playground when everyone returned from recess?” says Forrester Senior Analyst Nick Barber. “AI could be trained to tell the difference between a child and an adult, so that it isn’t falsely triggered if there is a teacher on the playground versus a student.”

“Or, is there an active shooter on campus and should 911 be contacted?” Barber says. AI, as applied to video, could be trained to recognize what a gun looks or sounds like and could automatically alert authorities, while simultaneously relaying the related video. Analytics could support simpler tasks as well, such as taking attendance as students enter the school or classroom.

Universities

The security challenge for universities and college campuses rests with sheer acreage. Universities may have a large security footprint, with their own police departments supported by cameras and a monitoring center. But they also have a lot of ground to cover. Analytics can provide a force multiplier.

Facial recognition, for instance, can offer a ‘be on the lookout’ mechanism to help security identify persons of interest. “If there’s a stalker, the analytics can pick up on those individuals,” says Scott Vogel, CEO of Incyte Security, a data analytics consultancy. Geofencing and other analytic tools can likewise help secure a sprawling perimeter. “You may have people hopping the fence at night to avoid the security gate, and analytics can provide a virtual barrier.”

Healthcare

In the healthcare environment, video is of greatest use in helping to secure entry and exit points, whether that is aimed at keeping unwanted individuals out of an emergency-care situation, or at keeping dementia patients in and on-premise at a senior care facility. “Analytics solutions can alert operators when people either enter or exit secure areas without proper identification procedures, such as swiping a badge, or they can utilize some facial recognition features to be sure that the person on camera who has earned entrance to a secure area is the person they are claiming to be,” says Danielle VanZandt, industry analyst for security, aerospace, defense and security at Frost & Sullivan.

Analytics can also be used to identify potential threats that might otherwise be overlooked by security personnel. Left objects or ‘loitering’ analytics will aid hospital security teams to identify either suspicious packages or behaviors, particularly if these alerts are generated in areas that should not have significant amounts of foot-traffic.

Cannabis

Video analytics can help cannabis growers to identify possible threats to the safety of their crop, says Ryan Douglas, founder of consulting firm Ryan Douglas Cultivation LLC. “High-tech greenhouses install mobile cameras that constantly run along tracks mounted to the ceiling. Analyzing this video can help with the early identification of pest or disease outbreaks, nutritional deficiencies and undesirable growth patterns before they negatively affect a crop,” Douglas says. It’s a way for security to leverage its video investment in support of enhanced operational efficiency.

Security could also utilize analytics to help ensure cannabis retailers comply with regulations, if, for instance, the system was programmed to monitor quantities of product changing hands at the point of sale. “It could ensure that during the purchase transaction, buyers don’t exceed the amount of product that they are legally allowed to purchase,” Barber says.

At grow sites, analytics can also be applied to remote video surveillance systems to help secure the perimeter.  Motion-detection capabilities and geofencing can likewise be leveraged to extend the eyes of the security force over the growing and production operations.

Property Management

For security on a commercial property, video alone can’t cover all the bases. Property management requires a combination of broad vision and deep insights. Beyond mere images, analytics can deliver the intelligence to help security professionals make best use of their time and cover ground more effectively.

“You might have teenagers climbing on the roof of the building. Beyond the general liability problem, they are damaging the roof,” Vogel says. “With analytics, you can identify the places where people go up on that roof and notify security. Within seconds you get notification and hopefully can deter that incident.”

Analytics can detect patterns of behavior, noting when a parking lot is filling up. This helps to ensure adequate security coverage when and where it is needed. Video analytic tools can help security to deter theft from commercial properties, by highlighting common traffic-flow patterns and sending out a notification to security officers when those patterns are disrupted. This helps security to see when products may potentially be walking out the back door and, with the help of automated notifications, to respond in real time.

Critical Infrastructure

Consider all the luminous dials in a hydroelectric plant or an oil refinery: Constant reminders that pressure and temperature are key determinants of safety. Security personnel can use analytics to monitor a vast array of analog sensors more effectively and in real time. Point a camera at an analog gauge, program the analytics to watch for threshold levels, “and an alert can get triggered if the pressure rises above a certain point as seen on the dial,” Barber says.

Video can also be used to understand how specific elements of the facility are operating and can signal when key components need replacement. Security thus pushes critical infrastructure closer to an IoT-enabled enterprise, Barber says.

Security personnel also are charged with tracking workers, vendors and others who  at critical infrastructure facilities. Video analytics capabilities, when paired with surveillance systems that provide facial recognition, will help critical infrastructure to improve access control, maintain security logs for entry and exits in specialized areas and better manage visitors or contractors, VanZandt says.

Manufacturing

Access control is a key issue in manufacturing, with security tasked to ensure that only the right people can get to certain places, especially sensitive production areas and inventory stores..[…] Read more »….

As the proliferation of digital technologies continues, cybersecurity’s importance will only increase – there’s a direct correlation between our use of devices and the deployment of digital technologies and the need for improved security.

This increased need for cybersecurity translates directly to the need for cybersecurity-focused professionals, as numerous reports over the past few years have highlighted that several million positions will need to be filled in the not-too-distant future.

To more effectively bridge the cybersecurity job gap, we should look towards a particularly underrepresented group in STEM – young women and girls.

The Cybersecurity Pros of Tomorrow

Today’s youth are the most digital native generation in the history of humanity. However, despite this, younger individuals comprise one of the most vulnerable demographics of users due to their practices, such as having a tendency to be freer in terms of what they share about themselves with strangers, making them prime targets for criminals to attempt to exploit.

Engaging young women and girls in cybersecurity-focused disciplines not only serves address this problem directly by helping educate them to enable them to protect themselves, but it also presents an opportunity to harness their experiences and unique perspectives to understand possible scenarios criminals are capitalizing on. It’s this diversity of thought that will help us as a means of deterring bad actors by anticipating their behavior and by placing individuals who have had relevant personal experiences with bad actors in positions to protect other individuals from future attacks.

Beyond this, women and young girls are predominantly attracted to disciplines that help people and our society.

By educating this demographic on how cyberattacks can cause harm, educators will be able to more effectively encourage young women and girls to envision themselves as protectors and enlist them to become cybersecurity superheroes.

By seeing the immediate impact they and their peers can have on the world and other individuals by using security technology, more young women girls will want to pursue careers in these areas – and, in turn, these individuals have the capacity to wind up as future advocates for additional diversity and inclusion in STEM, having had positive experiences in relevant fields themselves.

The Keys to Engagement

To better engage young women and girls in STEM to bridge the job gap in cybersecurity, educators should utilize the following strategies:

• Find new and unique ways of connecting students to the larger societal issues they care about. More specifically, make a concerted effort to continuously stress the impact young women and girls can have on issues that they’re personally invested in by using and developing security-focused technologies.
• Explore topics from students’ perspectives as opposed to introducing and approaching problems from a theoretical bottom-up approach, which can be confusing – this approach will enable educators to better engage students, resulting in a deeper understanding of technological concepts that might be otherwise hard to gras..[…] Read more »….

Understanding an organization’s security posture will help to create a clear and present representation of what the cybersecurity capabilities of your organization are. Any information security program is evaluated on the integrity, availability, and confidentiality of the data within a designated secured environment. Several indicators can help to gauge where your organization belongs within the risk management structure, which can help to identify your organization’s security posture and what security challenges the business must confront.

Many cybersecurity information risk management programs suggest businesses should adopt the InfoSec security standards and implement cybersecurity as a key driver of business decision making. The scope of InfoSec is wide-ranging, but the aim is to continuously improve your organization’s information security, year after year.

What exactly should you look for? What are the indicators that will help describe your organization’s security posture? The following information will help you determine what your new approach to cyber risk management should be.

Is there a set budget for infosec?

Understanding if there has been a budget allocated for information security helps to identify if an organization is serious about cybersecurity. In-house cybersecurity can work out to be incredibly expensive; hiring highly-skilled, ethical security personnel is not easy. SecOps engineers are highly sought-after personnel and salary expectations are usually very high. The purchasing of software licenses and security hardware appliances is another considerable cost to consider.

Many organizations realize that the OpEx costs can be high, and many choose to outsource to a reputable cybersecurity service provider who can call upon teams of SecOps architects, engineers, and consultants when needed to install, manage, and maintain any purchased security infrastructure service.

Companies need a pragmatic approach for monitoring and assessing their cybersecurity landscape, and a security program that delivers a return on the security investment (ROSI). Security expenditure needs to be justified by successfully completing external audits that validate security processes are in place, such as:

• Conducting external vulnerability scans
• Planning for disaster recovery & incident response tests
• Conducting phishing and social engineering tests
• Conducting external penetration testing

Without a realistic security budget, there is a significant risk that an organization may fall short on these scenarios. This can lead to significant gaps and weaknesses in your organization’s cybersecurity policy.

The frequency and sophistication of employee training

Cybersecurity training should be made available to all employees. This is a key area to look for, as training is absolutely essential. Cybersecurity is a highly technical industry where relevant, important security information needs to filter down to every single employee. Security training strengthens employee’s knowledge and understanding of cybersecurity risk management putting each employee in the best position to uphold your organization’s cybersecurity policy.

Collaborating with a skilled cybersecurity vendor will ensure training compliance and improve team understanding of the latest risks and trends in cybersecurity, as well as knowing what the best practices are to reduce the risk.

Cybersecurity training in many industries, such as the financial sector, is mandatory and enforceable by the regulator. There are huge benefits of having teams who are aware of the latest cybersecurity trends and able to spot phishing, scam phone calls, malware and virus attachments.

Technical red flags

You may be surprised by the number of issues that are discovered with organizations that are missing even the most basic technical safeguards to protect the integrity, availability, and confidentiality of data. Reviewing the results of your malware scans is not enough, businesses need to be proactive in providing the basic security requirements:

• Secure Networking – The network is the first line of defense in cybersecurity. Strong network authentication, encryption, restricting public internet traffic, and blocking common ports on the firewall are the first steps to improving security. Furthermore, network analysis and scanning using Intrusion prevention systems, content filters, email scanning tools, and isolating network assets should all be in place
• Asset Management – It is important to identify all pieces of equipment owned by the business. An asset list will catalog servers, laptops, tablets and any other infrastructure device. Good asset management reduces waste, capital expenditure and above all else acts as a baseline for the support teams who will know what equipment is available and where it is located.
• Patch Management – A regular patching schedule is the first step to securing software and operating systems. Vendors publish security patches that prevent exposure to the latest software vulnerabilities and exploits
• Passwords – Securing a network using unique and complex passwords that are enforced company-wide will help to provide an immediate level of protection. Taking this further and testing user accounts and system accounts for weaknesses using penetration testing software such as Nessus or Backtrack will proactively scan for weakness and non-compliance. Processes can be drawn up to harden password policies or maybe offer training to the worse offenders

There are many further technical safeguards that can be implemented, but these basic first steps will help to prevent misconfiguration and backdoors into your environment. Credible cybersecurity providers recommend an annual internal audit and roadmap check-up is performed. This process will review existing technical safeguards, identify weaknesses, and then suggest recommendations based on industry best practice, as well as a roadmap on the best way to implement the changes […] Read more »…

A PwC survey on corporate digital IQs found that there’s a disconnect between the skills and technologies that companies say matter most and what they’re investing in. With the rapid increase in emerging technologies disrupting every industry, enterprise leaders are feeling immense pressure to fill the resulting glaring void with employees who can pick up the skills necessary to implement this technology into everyday enterprise tasks. Aside from finding the right people, companies also need to ensure that proper training is in place. However, it’s no secret that a lack of engagement exists between employees and the less-than-awe-inspiring learning programs in use.

Just as I was finishing my tenure as the CSO of Dell, we introduced “Gamification” into our security and ethics training and noticed an uptick in the engagement it engendered amongst our millennials. Given what had been my 20-year “uphill” battle in the space of awareness training, this offered a welcomed glimmer of hope. Now add to that what augmented reality (AR) and virtual reality (VR) bring to the field and the prospects get even brighter.

When the phrases AR and VR started being tossed around, many of us could not even fathom how these technologies would impact our lives. Fast forward to today, and these technologies are right in the palms of our hands. AR and VR have opened new doors for innovation and created a more immersive user experience, especially for IT and security teams. While perhaps not the earliest adopters of these technologies, companies are beginning to use AR and VR to their advantage when it comes to providing cybersecurity training to their employees.

How exactly does AR training work? First, let’s break down what AR is in a broader sense. AR allows the user to see the real world with virtual objects superimposed or composited with their reality. Essentially, users can interact with on-screen digital objects within the scope of the physical world they see on a daily basis. Now imagine the use of AR in a corporate training environment. Not only does AR provide employees with a more interactive platform, but one that can be customized to accommodate unique learning needs.

For companies with a multigenerational workforce, this creates a profound opportunity to present their employees with training that is both more relevant and realistic. This is extremely valuable in high-touch industries like the cybersecurity sector, where the skills gap is already an area of concern. With AR, a new employee could be sitting at their desk and have a training system present various cyber threat scenarios through AR glasses, prompting them to identify the issue and solve the problem. It is interactive programs like this that will help employees remain more engaged in their training and generate better results overall.

And it doesn’t stop there. Companies like Inspired eLearning have made it their mission to provide training around security, cybersecurity and compliance with the help of VR. Called Security First Solutions, their product takes data from a multitude of tests and simulations to deliver an immersive training program on the latest and most popular cyber threats like phishing and SMiShing, all behind a VR headset. What’s more, immersive technology is also opening the eyes of young minds and showing them what a career in cybersecurity could entail […] Read more »….

.