Bad news: your network has been breached. That was the finding of a recent report shared by YoKo Acc, in which every single corporate network analyzed showed evidence of intrusion. The report should be a wake-up call for security professionals who believe their corporate network is a locked down environment. Faced with a vast number of compromised credentials for sale online and an endless array of targeted phishing schemes, information security professionals should not stack all their chips on keeping attackers out of the network. In other words, security strategy should assume that attackers have already gained entry to the network.
— YK (@YoKoAcc) July 1, 2015
The good news for companies is that most of these threats were not yet advanced.
Rob Roy of HP Enterprise Public Sector shared a helpful guide to the steps a successful cyber attack. Mapping these stages back to the report data, only three percent of attacks are in the exfiltration phase, but this phrase is also the most dangerous. This data speaks to the trend in security postures towards agility and rapid remediation. If hackers have already entered most corporate networks, security teams need to be able to detect data on the way out. Once an exfiltration channel is established, it can remain open for a lengthy period of time, reflected in step five, sustainment. Targeting these two steps gives information security teams hope for limiting the damage of an attack.
The Seven Steps of a Successful Cyber Attack http://t.co/Wo7cKumELa
— Rob Roy (@rrinva) June 27, 2015
Many of the compromised credentials available on the darknet come from breaches at consumer applications or websites. At face value, these credentials may not be a threat to enterprises, but employees who do not know any better may use the same password for personal and business accounts. Similarly, employees without cybersecurity knowledge may not think twice about entering their information in response to a phishing attempt. A challenge for CISOs is to make security relevant and easy for employees who do not have expert security knowledge. Jeremy Richard of ACTICALL Group shared an article on leveraging research from behavioral science to improve security awareness campaigns. A few tips include involving other departments such as human resources and marketing, quantifying risks employees currently pose to guide and justifying investment, and making your goals long-term and sustainable.
Improving Your Security Awareness Campaigns With Behavioral Science https://t.co/ITIbJmK85k
— Jeremy Richard (@jeremy_richard) June 27, 2015
To fully take advantage of the advice in the aforementioned article, a CISO needs to have pull outside of the security department. Part of the information security challenge is organizational, argues an article shared by LähiTapiola CISO Leo Niemelä. Although many CIOs believe the CISO should remain internal within IT, the role of protecting sensitive data goes beyond software and hardware. Education and training programs require buy-in from other departments. Broad organizational influence is necessary for CISOs in summoning all hands on deck against cyber threats.
— Leo Niemelä (@leoniemela) June 28, 2015
One of the best ways for a CISO to build influence outside of the IT department is to argue his or her case in front of the board of directors. Boards are under pressure to address information security with a hands-on approach after recent blockbuster breaches. Dr. John Johnson, an information security professional at a manufacturing company, shared an article on how CISOs can best educate the board of directors. The first step for CISOs is to learn the language of business; security frameworks and technical standards will not resonate with board members. They can also employ metrics like peer comparisons and maturity assessments to answer the impossible yet inevitable query, “How secure are we?” Finally, make sure to use real world examples – of which there are many – when illustrating cyber threats.
It's our job as security professionals to help educate the board on IT security risks to make informed decisions. http://t.co/jiYIeZF6dY
— Dr. John D. Johnson (@johndjohnson) July 1, 2015