In his keynote presentation at (ISC)2 Congress EMEA in Dublin, Ireland, Brian Honan, took the audience on a journey through security basics to ensure security in an insecure world
With the total global impact of cybercrime exceeding the drug trade at an estimated $3 Trillion, and critical systems failure now one of the 21st century’s most critical threats, the security industry needs to keep up with the rapidly evolving pace of the digital world, Honan told the audience.
Whilst traditional perimeter defenses are very good security against traditional weapons and attacks, they won’t succeed against 21st century threats, which Honan declared, “our users.”
Criminals aren’t attacking systems and applications, Honan said, “they’re attacking the people using the systems and the applications. They’re leveraging your staff on the inside.
“Forget the teenager in a hoody in the basement that the media portray, and start to think about the insider threat – our very own people. There’s the malicious insider, the ‘accidental tourist’ who is manipulated by the criminals, and there’s also the diligent worker who knowingly bypasses security in order to increase productivity and do their job.”
With people and with security defense, there is always a weak spot, said Honan. Using a raw egg to demonstrate his point, Honan squeezed the top and bottom of the egg as hard as possible, and the egg stayed intact. “You can apply as much pressure as you can to those points, and it won’t break. However, just one small tap in the right area,” he said, cracking the egg on the side of a bowl, “will break the egg.”
To be as secure as possible in an insecure world, Honan gave the audience the following advice:
- Read your company’s business plan: “You need to understand the business and the way your colleagues work. You can’t dictate ‘thou shall not’ from your ivory tower. Take the sales guy out for lunch and ask him what his technical challenges are, and understand what affects his job. A sandwich and a cup of coffee can go a long way”.
- Understand your organization’s key assets: “It’s crucial that you understand the assets and the value they hold to the business.”
- Do a risk assessment: “Establish effective policies on the back of the risk assessment, and keep them updated. A recently client of ours mentioned floppy disks in their policy. Constantly review and update your security policy.”
- Encrypt your data: “There is no excuse these days to not encrypt. The cost of the data entrusted to you by your clients is worth more than the cost of encryption.”
- Invest in identity management: “Use ID and asset management solutions that allow you to control all the identities of your staff across all of your systems.”
- Set strong passwords: “Don’t change them regularly, just choose one good, strong password.”
- Carry out security awareness training: “Make sure your staff understand why security is in place, and why it’s important. Teach them that brakes in a car make the car go faster – and good security makes the business go faster too. Security isn’t there to slow us down, it’s there to enable us, and your staff should understand that.”
- Patch your systems: “The most common reasons we see for security incidents and breaches are unpatched systems, bad passwords, and a lack of monitoring. Keep your AV up to date, too, because from a basic hygiene point of view, it’s crucial.”
- Respond to your systems: Monitor and respond to your detection systems and have mature and effective response plans in place, with contributions from legal and PR experts amongst others. Breaches will happen – so be prepared.
- Share information: “Wouldn’t it be great if we all knew how Yahoo had been hacked and we could share that information, helping to protect against future attacks?”
Bio: Brian is recognized internationally as an expert in the field of information security and has worked with numerous companies in the private sector and with government departments, in Ireland, Europe and throughout the United Kingdom. Brian has also provided advice to the European Commission on matters relating to information security. He is also on the advisory board for a number of innovative information security companies.