IBM recently published its “Security Services Cyber Security Intelligence Index” report, an analysis of cyber security attacks and incident data from its worldwide security operations. I had an opportunity to connect with Nick Bradley, Practice Lead, Threat Intelligence and Analysis, Office of Special Security Intelligence Development (OSSID) for IBM global security operations, to discuss the report. Highlights from our conversation follow below.
QUESTION: From an overall security standpoint, do you think companies would be better off in the long run by moving to a thin client environment? Would this eliminate some of the risks facing companies today?
NICK BRADLEY: I think the answer to that question is highly dependent on the environment. There are many benefits as well as drawbacks to running a thin client environment. IBM, for example, has many who are part of the mobile workforce – and this does not work very well with the thin client architecture. However, in a security operations center where data and work are all required to be done within the secure environment, the thin client could be a highly viable option. As with any technology, it has its strengths and weaknesses and is highly situational. There is no silver bullet solution. Every organization must make decisions that best secure its environment while attempting to minimize how the productivity of its employees is affected.
QUESTION: With the Internet of Things (IoT) in the pipeline, companies of all sizes are bombarded by devices attaching to their networks. We have already seen breaches through IP cameras used for company surveillance. Many devices are coming to market with weak security, so how well will we be able to protect large networks as the devices enter the network environment?
NICK BRADLEY: While this may seem like a new threat or risk, that’s not the case. As new technology enters cyberspace, the possibility of new vulnerabilities, new risks, and new ways to exploit them will always accompany it. Think about vulnerabilities that were exploited through network printers many years ago. According to our X-Force trend and risk report, we are seeing an increase in mobile vulnerability disclosures. An interesting fact, though, is that many of the vulnerabilities affecting mobile platforms originate in components that are used in both mobile and desktop software. X-Force recommends Android users check to see if a firmware update is available and consider upgrading. CISOs should also review their bring your own device (BYOD) security policies and their risk assessment of which devices and device profiles are allowed access. While it can be a Herculean effort, organizations should conduct regular penetration tests and assessments of their environments, including any new tech being allowed access to their networks.
QUESTION: Since both personal and corporate email are being pushed to personal devices, it’s important to note that these devices do not usually have malware protection and can become attack vectors. As a result, how is BYOD affecting overall security strategies in large corporations?
NICK BRADLEY: While it is not a good practice to mix your personal email with your corporate email, it is something that we all know can be difficult to control and creates a serious risk for data leakage. There is, however, software as well as services that can help mitigate this risk. In the end though, this is one of those cases where everything that was old is new again. Do not open email or attachments that are from unknown senders. Install an approved security software package on your mobile device. Do not conduct work on open untrusted Wi-Fi connections. The risks here are much the same as those we face with a mobile workforce using a laptop. BYOD is here to stay – and unless a company is going to ban it, then strong security practices, policies, and user education are all extremely important.
QUESTION: Do you think air-gapping would be effective to protect critical assets, or the “Family Jewels” as you refer to them? Would that technique be worth the time and effort to protect high value critical assets, such as, Intellectual Property and Financial Data?
NICK BRADLEY: While air-gapping is an extremely strong network segmentation technique, it is also highly situation dependent. If there is no need to ever work with the “Family Jewels” outside of that controlled environment, then by all means it is probably one of the most secure practices that can be used. At the end of the day, you can either use this technique or you cannot.
QUESTION: Many global corporations have a decentralized management structure, and as a result, have a hard time with network access control – recall the Edward Snowden incident. Since each location can – and most likely does – have different rules, procedures, and compliance requirements, how can you keep incidents from happening that could damage a company’s global reputation?
NICK BRADLEY: By having strong and constantly updated security practices, policies, and procedures, risks can be minimized. While technology does exist that can assist in this area, some very common but good security practices can be crucial to minimize risk such as Network segmentation, principle of least privilege, security clearance on employees where required, etc. As the scope and frequency of data breaches continue in an upward trajectory, a return to basic security fundamentals is essential.
QUESTION: Company-wide security training requires support from ALL members of the management team. Over time, training gets pushed to the side – or the bottom of the priority list – if no significant data breach occurs. So how do you recommend that companies keep security training at the top of the priority list on a regular basis?
NICK BRADLEY: This is an area that a company should not let falter. Develop a plan and maintain it. This is by no means easy and at times can be rather expensive, but the cost of not maintaining security training can be MUCH more costly. This should be maintained with the same level of importance as an emergency response plan or disaster recovery/business continuity plan. Do not allow this to get pushed to the side or to the bottom of the priority list. Make it a mandated requirement and hold management to it. Embedding other processes such as cyber exercises can not only help here, but also bolster interest and support. Additionally, utilizing new technology or software to deliver awareness, such as, online training and testing, can be extremely helpful.
“In the end, success hinges upon promoting and supporting a risk-aware culture, where the importance of security informs every decision and procedure at every level of the company. That means secure procedures need to become second nature, much like locking the door behind you when you leave home.”
To learn more, follow on Twitter: @ibmSecurity
Image Credit: Stuart Miles via FreeDigitalPhotos.net.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.